[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW-1 initiate connection rule
Just thought of a cool rule hack for CheckPoint FW-1 firewalls. Many of you may have thought of this before, but I haven't seen it discussed. 1. PROBLEM ----------- Many FW-1 installations only inspect inbound packets as opposed to eitherbound. This is done on purpose. For large, complex rulebases, eitherbound rule sets can be difficult to troubleshoot. Many organizations choose to inspect packets only inbound as it is far easier to maintain and troubleshoot. This exposes FW-1 installations to risk. Attacks can be used against the firewall that are based on the firewall initiating connections (which would not be inspected). Examples include packets who's TTL expire at the firewall, causing the firewall to initiate a ICMP TTL error message which can be used to map firewall rulebases. 2. SOLUTION ------------ For FW-1 installations that only inspect inbound packets, you can address this issue by simply adding one rule, as follows: SRC DST SERVICE ACTION TRACK INSTALL ON Firewall Any Any Drop Long Firewall This rule will drop any connection initiated by the firewall, EVEN if your firewall is only inspecting inbound packets and protect your firewall from being used in various attacks. The trick is that the "INSTALL ON" column is set to the Firewall, and not any. This causes that single rule to inspect Eitherbound, while all the rest of the rules still inspect inbound. Be advised, this also includes any mail, dns, or syslog connection that your firewall may be initiating. You may need to add a second rule before this one to allow that functionality. SUMMARY ------- Its best to have your firewall inspect Eitherbound, but for firewalls that are configured just to inspect inbound, I highly recommend you add this rule. Many of you may have figured this out on your own. It only took me three years to figure this little hack out :-0 -- Lance Spitzner http://project.honeynet.org ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|