Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ADDENDUM - Interesting fix - Re: [FW1] "nameserver" in Servic e column in log files?

To: "'Beckster '" <[email protected]>, "'[email protected] '" <[email protected]>
Subject: RE: ADDENDUM - Interesting fix - Re: [FW1] "nameserver" in Servic e column in log files?
From: Chris Arnold <[email protected]>
Date: Fri, 9 Feb 2001 18:36:34 -0500
Sender: [email protected]

Hi, Becky.  If you want your modification to be noticed you will probably
have to bounce the FW service that is logging (EMC or standalone, whatever
you have).  That _should_ pick-up the change.

If you wanted to just see protocol and port numbers, you could remove
/etc/protocols and /etc/services respectively on a *nix host.  THIS IS
PROBABLY NOT A SMART MOVE AND WILL BREAK THINGS.  I'm just saying that it
_could_ be done.

Me, I prefer the opposite.  I parsed the protocols and ports lists from IANA
and reused them as my /etc/protocols and /etc/services files on my EMC.  If
I see weird stuff in the logs it ususally forces me to investigate further
and figure out what the issues is.  

Case in point, I saw weird IP protocol 89 traffic (CP didn't know what it
was before I modified /etc/protocols) which was being denied.  It turns out
that my internal routers were trying to redistribute routes up to my Nokias
via OSPF.  That could have been an issue.

Chris

-----Original Message-----
From: Beckster
To: Luke, Jason (ISS Southfield); [email protected]
Sent: 2/9/01 5:13 PM
Subject: ADDENDUM - Interesting fix - Re: [FW1] "nameserver" in Service
column in  log files?


Well, I hate to reply to my own posting, but when I shut down logviewer
and then re-opened, it reverted to "nameserver" again!!!  So, sad to
say, "nameserver" has been commented out of my services file again.

My log file is working now with the following entries in my services
file:
domain-tcp      53/tcp  nameserver      # name-domain server
domain-udp      53/udp  nameserver
# nameserver      53/tcp    domain        # name-domain server
# nameserver      53/udp    domain

Does this seem like a weird/flaky bug to anyone else?

Becky



Beckster wrote:
> 
> Jason!!  What a great tip!!
> 
> Actually I had to comment out the following four services at first,
> because after I commented out "nameserver", then just "domain" started
> popping up in the log files:
> # domain        53/tcp    nameserver    # name-domain server
> # domain        53/udp    nameserver
> # nameserver    53/tcp    domain        # name-domain server
> # nameserver    53/udp    domain
> 
> And then I just renamed them to match the Check Point names:
> domain-tcp      53/tcp  nameserver      # name-domain server
> domain-udp      53/udp  nameserver
> 
> And then un-commented the nameserver entries, so now my services
> file looks like this:
> domain-tcp      53/tcp  nameserver      # name-domain server
> domain-udp      53/udp  nameserver
> nameserver      53/tcp    domain        # name-domain server
> nameserver      53/udp    domain
> 
> Presto!  My logs are working and now my "Service Selection Criterion"
> box is working properly when I want to select logs "In" or "Not in"
> domain-udp/domain-tcp.  Very weird that CP logs are pulling names
> from my management NT services file???
> 
> Thanks again for your assistance Jason.
> 
> No longer disgruntled in Dallas,
> Becky
> 
> p.s.  Now why the heck does NT have 2 sets of entries in the
> Services file for port 53 udp/tcp?  Too much too learn, too little
> time....
> 
> "Luke, Jason (ISS Southfield)" wrote:
> >
> > 'nameserver' is just Port 53 DNS queries in disguise.  I believe
your GUI
> > client is on NT and it is resolving port 53 traffic to nameserver,
which is
> > listed in the WINNT/system32/drivers/etc/services file.  I think if
you
> > comment out that entry it will go back to being domain-tcp and
domain-udp in
> > the logviewer.
> >
> > Jason
> >
> <SNIP>


========================================================================
========
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
========


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] https security server
Next by Date: RE: [FW1] HA and Floodgate
Previous by thread: [FW1] https security server
Next by thread: RE: ADDENDUM - Interesting fix - Re: [FW1] "nameserver" in Servic e column in log files?
Index(es):
- Date
- Thread