Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] can we change SAM to use drop instead of reject?

To: "'Ken Lui'" <[email protected]>, "Fw-1 mailing list (E-mail)" <[email protected]>
Subject: RE: [FW1] can we change SAM to use drop instead of reject?
From: Frank Knobbe <[email protected]>
Date: Thu, 16 Nov 2000 21:09:58 -0600
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Ken Lui [mailto:[email protected]]
> Sent: Thursday, November 09, 2000 12:06 PM
> 
> When using SAM, the target address is block but firewall send a
> reset instead of dropping the packet. Is there a way to change SAM?
>  
> 
> In case of IDS, you want to slow down a intruder's scan. A 
> drop is much
> better than a reject (or reset).


You are referring to the Reject that FW-1 sends to IP addresses that
have been blocked with SAM. The answer is yes, it can be changed.

By default, SAM just Rejects all packets, which results in an
annoying TCP-Reset packet going back to the blocked IP address. To
change this behavior and have FW-1 just Drop the packets (without
sending the TCP-RST), just follow these simple steps.

In the FW directory you will find a directory called LIB. In LIB you
will see various files, among them the file CODE.DEF. Open CODE.DEF
and scroll down to the section regarding the SAM. You'll see a note
mentioned that SAM code starts, you'll see variable definitions and
you'll see the definition for SAM_LOG. Keep going :) and you'll see a
definition for SAM_NOTIFY. Right behind the code for that definition
you'll see the word REJECT followed by a bracket which encloses some
code.

Just change that REJECT to a DROP and save the file. (Keep a backup
of the unaltered file). Then compile and install your policy again
and you will now notice that the ALERT log entry, on packets that are
filtered by SAM, has changed from Reject to Drop. You can verify that
behavior by monitoring traffic with tcpdump. Indeed, the pesky
TCP-RST is no longer sent.

Hope this helps.
Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOhShhURKym0LjhFcEQJdpwCfcFeVtE6+j9CXJJdI88rxTGcGUXYAoN1p
t6KNBbIOZ2WQ6rT4yBZPqO+t
=EmQ0
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Create master rulebase from local
Next by Date: [FW1] 4.1 & on Nortel routers
Previous by thread: [FW1] can we change SAM to use drop instead of reject?
Next by thread: [FW1] Hybrid mode setup
Index(es):
- Date
- Thread