[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] can we change SAM to use drop instead of reject?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Ken Lui [mailto:[email protected]] > Sent: Thursday, November 09, 2000 12:06 PM > > When using SAM, the target address is block but firewall send a > reset instead of dropping the packet. Is there a way to change SAM? > > > In case of IDS, you want to slow down a intruder's scan. A > drop is much > better than a reject (or reset). You are referring to the Reject that FW-1 sends to IP addresses that have been blocked with SAM. The answer is yes, it can be changed. By default, SAM just Rejects all packets, which results in an annoying TCP-Reset packet going back to the blocked IP address. To change this behavior and have FW-1 just Drop the packets (without sending the TCP-RST), just follow these simple steps. In the FW directory you will find a directory called LIB. In LIB you will see various files, among them the file CODE.DEF. Open CODE.DEF and scroll down to the section regarding the SAM. You'll see a note mentioned that SAM code starts, you'll see variable definitions and you'll see the definition for SAM_LOG. Keep going :) and you'll see a definition for SAM_NOTIFY. Right behind the code for that definition you'll see the word REJECT followed by a bracket which encloses some code. Just change that REJECT to a DROP and save the file. (Keep a backup of the unaltered file). Then compile and install your policy again and you will now notice that the ALERT log entry, on packets that are filtered by SAM, has changed from Reject to Drop. You can verify that behavior by monitoring traffic with tcpdump. Indeed, the pesky TCP-RST is no longer sent. Hope this helps. Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOhShhURKym0LjhFcEQJdpwCfcFeVtE6+j9CXJJdI88rxTGcGUXYAoN1p t6KNBbIOZ2WQ6rT4yBZPqO+t =EmQ0 -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|