[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Need some info: "Unknown established TCP packet"
Armando, The "correct" way to fix this problem is to repair the broken applications. These apps establish tcp sessions, then leave established sessions idle for long periods of time (greater than TCP_TIMEOUT). The correct fix would add tcp keepalives to the applications, or would switch the communication to udp where appropriate. That being said, no one ever fixes the app, it's always the firewall administrator who has to "fix" the problem. You should be able to modify the firewall's behavior by changing this section of fwui_head.def: /* * Uncomment the following line to enable TCP Non-SYN packet to go through * the rule-base. */ /*#define ALLOW_NON_SYN_RULEBASE_MATCH */ /* * Comment the following line to disable logging of TCP Non-SYN packets dropped * because they are not alowed to go through the rule-base */ #define NON_SYN_RULEBASE_MATCH_LOG If you remove the /* */ from the line /*#define ALLOW_NON_SYN_RULEBASE_MATCH */ it should revert to the old style of processing non-syn packets. In previous versions the firewall would allow packets to pass with non-syn bits set, then wait for a response from the destination, if the response that came back was another non-syn packet, then the connection would be re-written into the state tables, if the response that came back was a reset packet then the firewall would not make any changes to the state tables. This security model works on the theory that a receiving host will only accept a non-syn packet that is part of an open socket on the system, and if the socket has closed, the host will send reset packets. This breaks down because of new tools which now exist, there are remote exploit tools which can be commanded by non-syn packets, and tools which can perform "reset" scans of networks. Because these packets were allowed and not logged, checkpoint took some serous heat for allowing non-syn packets. Now the new versions of checkpoint do not allow these packets. Keep in mind that if you make these modifications, you do so on the management server and the changes apply globally to all firewalls controlled by that management server. ******************************************************************* Michael Carey [email protected] Internet Security Systems www.iss.net 3000 Town Center Suite 1100 Southfield, MI 48075 Managed Firewall Services Engineer******************************************************************* -----Original Message----- From: Matos, Armando [mailto:[email protected]] Sent: Monday, February 26, 2001 2:25 PM To: '[email protected]' Subject: [FW1] Need some info: "Unknown established TCP packet" We are running FW1 w/ sp2. We have three applications adversely affected by our new firewall. These applications work for a while, and then die. These applications are between DMZ's and all ports are open between these 2 servers. The only thing we see in the log is the "Unknown established TCP packet" message. My understanding of what I read on phoneboy stated that this means the firewall no longer has a TCP session entry in its table for these packets. They also seemed to indicate that the older version of FW1 actually attempted to restore this entry in the table before dropping the packet "on the floor". I was led to believe by what I read that this "fix" would make FW1 v4.1 sp2 run like the old method. Has anyone had this problem and/or workaround to the problem?? Are there any reasons why we shouldn't apply the fix suggested on phoneboy's website?? Thanks!! Armando ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|