Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FW-1 initiate connection rule

To: [email protected], [email protected]
Subject: [FW1] FW-1 initiate connection rule
From: Lance Spitzner <[email protected]>
Date: Tue, 5 Dec 2000 20:05:06 -0600 (CST)
Sender: [email protected]

Just thought of a cool rule hack for CheckPoint
FW-1 firewalls.  Many of you may have thought of this
before, but I haven't seen it discussed.

1.  PROBLEM
-----------
Many FW-1 installations only inspect inbound packets as
opposed to eitherbound.  This is done on purpose.  For
large, complex rulebases, eitherbound rule sets can be
difficult to troubleshoot.  Many organizations choose to
inspect packets only inbound as it is far easier to maintain
and troubleshoot.

This exposes FW-1 installations to risk.  Attacks can be used
against the firewall that are based on the firewall initiating
connections (which would not be inspected).  Examples include
packets who's TTL expire at the firewall, causing the firewall
to initiate a  ICMP TTL error message which can be used to map
firewall rulebases.

2.  SOLUTION
------------
For FW-1 installations that only inspect inbound packets, you can
address this issue by simply adding one rule, as follows:

SRC        DST    SERVICE   ACTION    TRACK    INSTALL ON

Firewall   Any    Any       Drop      Long     Firewall

This rule will drop any connection initiated by the firewall, EVEN
if your firewall is only inspecting inbound packets and protect your
firewall from being used in various attacks.  The trick is that the
"INSTALL ON" column is set to the Firewall, and not any.  This causes
that single rule to inspect Eitherbound, while all the rest of the
rules still inspect inbound.  Be advised, this also includes any mail,
dns, or syslog connection that your firewall may be initiating.  You
may need to add a second rule before this one to allow that functionality.


SUMMARY
-------
Its best to have your firewall inspect Eitherbound, but for 
firewalls that are configured just to inspect inbound, I highly 
recommend you add this rule.

Many of you may have figured this out on your own.  It only took
me three years to figure this little hack out :-0


-- 
Lance Spitzner
http://project.honeynet.org



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- [FW1] Gigabit Network Support
  - From: "Lynn" <[email protected]>
- Re: [FW1] FW-1 initiate connection rule
  - From: Michael Batchelder <[email protected]>

Prev by Date: RE: [FW1] NT or Unix
Next by Date: [FW1] port 1530
Previous by thread: [FW1] SR Build 4166 + Win2k = Eventlog Errors.
Next by thread: [FW1] Gigabit Network Support
Index(es):
- Date
- Thread