Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] drop on rule 0

To: <[email protected]>
Subject: Re: [FW1] drop on rule 0
From: [email protected] (Ralf Guenthner)
Date: Wed, 22 Nov 2000 00:50:29 +0100
Organization: Zentric GmbH i. G.
References: <[email protected]>
Reply-to: "Ralf Guenthner" <[email protected]>
Sender: [email protected]

Hi Brian

I suggest the always instructive website www.phoneboy.com/fw-1

I searched the FAQs there for "Rule 0" and here you are:

What is Rule 0?
Q:
What is rule 0 and where can it be found? I looked under the
/etc/fw/database and /etc/fw/lib directories. Nothing jumps out at me.
A:
Rule 0 is typically stuff not explicitly listed in the rulebase. This
includes:
Anti-Spoofing: This is set on the interface tab of your firewall object. If
spoof track is set to "log" or "alert", a rule 0 entry will show in your
log. A "drop" on Rule 0 typically means that incoming packet violated your
anti-spoofing policy for that interface. A "reject" on Rule 0 typically
means that an outgoing packet (one that has been accepted by your security
policy and routed by the OS) is violating your anti-spoof rules because the
packet is being routed out the wrong interface.

Authentication Failures: This is set in the Authentication tab of the
rulebase properties. If this is set to "log" or "alert", any failed
authentication attempts will show as a rule 0 log.

SYNDefender warnings may get logged as rule 0. The "Display Warning
Messages" checkbox in the SYNDefender tab of the rulebase properties is
where this can be disabled.

SecuRemote authentications (the successful ones) can also appear as a rule 0
accept. This is controlled by the "Enable Decryption on Accept" checkbox in
the Security Policy tab of the Rulebase Properties.

Anything dropped by FireWall-1's IP Options checking will log as rule 0. The
logging is controlled by the "IP Options Drop Track" section of the Log and
Alert tab of the Rulebase Properties.

*snip*
Hope that helps
Cheers
Ralf G.


----------------------------------------------------------------------------
----

-----Ursprüngliche Nachricht-----
Von: <[email protected]>
An: <[email protected]>
Gesendet: Dienstag, 21. November 2000 23:45
Betreff: [FW1] drop on rule 0


>
> Does anyone know why my log view shows me that attempts to access servers
> via certain tcp ports are being dropped via rule 0?
>
> The other entries reference actual rules in the rulebase, but there is no
> rule 0?
>
> Thanks,
> Brian
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] drop on rule 0
  - From: Brian Noecker <[email protected]>

Prev by Date: [FW1] reporting module licensing
Next by Date: RE: [FW1] drop on rule 0
Previous by thread: Re: [FW1] drop on rule 0
Next by thread: RE: [FW1] drop on rule 0
Index(es):
- Date
- Thread