[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Unknown Established TCP Packet
>From the 'release notes' for SP2 Feature Enhancements Managing TCP SYN Packets With this service pack, only TCP SYN (TCP connection initiation) packets are allowed to be matched to the rule base. Non-SYN connections that do not belong to any known connection are dropped. This change eliminates some cases where packets failed to undergo correct network address translation. This change causes the following side effects: n It blocks the traffic on any connections which have been inactive for a longer period than the TCP timeout. The change only affects the TCP traffic. n All TCP connections established before starting the FireWall will be blocked. n All TCP connections established before installing the first Security Policy after the upgrade from 4.1 FCS to 4.1 SP2 will be blocked. TCP connections blocked as a result of this change will be logged as unknown established TCP packets. To disable logging of this event, do the following: 1 On the Management Module, open the file $FWDIR/lib/fwui_head.def. 2 Uncomment the line #define NON_SYN_RULEBASE_MATCH_LOG The above side effects do not affect TCP connections between the VPN/FireWall Module and the VPN-1/ FireWall-1 Management Station. To disable the change, do the following: 1 On the Management Module, open the file $FWDIR/lib/fwui_head.def 2 Uncomment the line: /*#define ALLOW_NON_SYN_RULEBASE_MATCH */ 3 Install the policy. Most of the changes in SP2 were made as a result of a test somebody ran against FW-1 to break it - they succeeded (if somebody has this link please re-post it - I lost it) Regards Paul -------------------------------------------------------------------------------------------- C. Paul Simons Corporate Network Services IHS Energy Group, Englewood, CO. Main:Direct:Fax:Mobile:|--------+----------------------------------------------> | | Elmar van Mourik | | | <[email protected]> | | | Sent by: | | | [email protected]| | | kpoint.com | | | | | | | | | 28-11-00 14:43 | | | | |--------+----------------------------------------------> >-------------------------------------------------------------------------------------------------| | | | To: "'[email protected]'" <[email protected]>, | | "'[email protected]'" <[email protected]> | | cc: | | Subject: RE: [FW1] Unknown Established TCP Packet | >-------------------------------------------------------------------------------------------------| I had the same problem. Add the next line to your $FWDIR/lib/fwui_head.def file: #define ALLOW_NON_SYN_RULEBASE_MATCH (or delete the /* and */ and the beginning and end of the line. This is when I assume you're using version 4.1 SP2. See also Phoneboy for more details. Elmar van Mourik > -----Oorspronkelijk bericht----- > Van: [email protected] [SMTP:[email protected]] > Verzonden: Tuesday, November 28, 2000 8:40 PM > Aan: [email protected] > Onderwerp: [FW1] Unknown Established TCP Packet > > > Anyone know what this is or how to fix it? > > Jamie > > > > The information transmitted by the following E-Mail is intended only for > the addressee and may contain confidential and/or privileged material. Any > interception, review, retransmission, dissemination, or other use, or > taking any action upon this information by persons or entities other than > the intended recipient is prohibited by law and may subject them to > criminal or civil liability. If you received this communication in error, > please contact us immediately atext. 3600 and delete the > communication from any computer or network system. > > > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== > ------------------------------ Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Indien de e-mail bij vergissing bij u terecht is gekomen, wilt u ons dan berichten via [email protected]? Wij verzoeken u in dit geval de e-mail te vernietigen, de inhoud ervan niet te gebruiken en niet onder derden te verspreiden, omdat het bericht vertrouwelijke informatie kan bevatten. Aan dit bericht kunnen geen rechten worden ontleend inzake contractuele of wettelijke verplichtingen. Een opdracht of beschikking wordt alleen per post verzonden en ondertekend door daartoe bevoegd(e) perso(o)nen. This e-mail message is intended exclusively for the addressee. If the e-mail was sent to you by mistake, would you please contact us at [email protected]? In that case, we also request you to destroy the e-mail and to neither use the contents or disclose them in any manner to third parties, because the message can contain confidential information. This message can not lead to any contractual or legal obligation. ZHEW only order products and send official decisions on their official (hard copy) documents that are signed by authorised personnel only. Zuiveringsschap Hollandse Eilanden en Waarden, Dordrecht tel: +31 (0)78 6397100 fax: +31 (0)78 6311871 web: http://www.zhew.nl ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|