NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Need some info: "Unknown established TCP packet"



Armando, 

The "correct" way to fix this problem is to repair the broken applications.
These apps establish tcp sessions, then leave established sessions idle for
long periods of time (greater than TCP_TIMEOUT).  The correct fix would add
tcp keepalives to the applications, or would switch the communication to udp
where appropriate.  That being said, no one ever fixes the app, it's always
the firewall administrator who has to "fix" the problem.  

You should be able to modify the firewall's behavior by changing this
section of fwui_head.def:
/*
 * Uncomment the following line to enable TCP Non-SYN packet to go through
 * the rule-base.
 */
/*#define ALLOW_NON_SYN_RULEBASE_MATCH */

/*
 * Comment the following line to disable logging of TCP Non-SYN packets
dropped
 * because they are not alowed to go through the rule-base
 */
#define NON_SYN_RULEBASE_MATCH_LOG

If you remove the /* */ from the line /*#define ALLOW_NON_SYN_RULEBASE_MATCH
*/ it should revert to the old style of processing non-syn packets.  
In previous versions the firewall would allow packets to pass with non-syn
bits set, then wait for a response from the destination, if the response
that came back was another non-syn packet, then the connection would be
re-written into the state tables, if the response that came back was a reset
packet then the firewall would not make any changes to the state tables.

This security model works on the theory that a receiving host will only
accept a non-syn packet that is part of an open socket on the system, and if
the socket has closed, the host will send reset packets.  This breaks down
because of new tools which now exist, there are remote exploit tools which
can be commanded by non-syn packets, and tools which can perform "reset"
scans of networks.  Because these packets were allowed and not logged,
checkpoint took some serous heat for allowing non-syn packets.  Now the new
versions of checkpoint do not allow these packets.  

Keep in mind that if you make these modifications, you do so on the
management server and the changes apply globally to all firewalls controlled
by that management server.

*******************************************************************
Michael Carey                                        [email protected]
Internet Security Systems                               www.iss.net
3000 Town Center Suite 1100                    Southfield, MI 48075
Managed Firewall Services Engineer*******************************************************************
-----Original Message-----
From: Matos, Armando [mailto:[email protected]]
Sent: Monday, February 26, 2001 2:25 PM
To: '[email protected]'
Subject: [FW1] Need some info: "Unknown established TCP packet"


We are running FW1 w/ sp2. We have three applications adversely affected by
our new firewall. These applications work for a while, and then die. These
applications are between DMZ's and all ports are open between these 2
servers. The only thing we see in the log is the "Unknown established TCP
packet" message. My understanding of what I read on phoneboy stated that
this means the firewall no longer has a TCP session entry in its table for
these packets. They also seemed to indicate that the older version of FW1
actually attempted to restore this entry in the table before dropping the
packet "on the floor". I was led to believe by what I read that this "fix"
would make FW1 v4.1 sp2 run like the old method. Has anyone had this problem
and/or workaround to the problem?? Are there any reasons why we shouldn't
apply the fix suggested on phoneboy's website??  Thanks!!
 
Armando
 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.