NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 Loophole?



Joe, 
Are you sure it's being accepted? perhaps that port is not being used on the
firewall-1 side, or there is a rule to allow any outbound from the DMZ in
question.  Snoop on the dmz interface, or some other packet sniffer could
confirm the traffic. also look to see if this port 1052 is a source port for
some udp which is allowed, perhaps the pix is dropping udp reply packets.
Firewall-1 tries to make udp "stateful" by anticipating udp reply packets.
--Mike.

-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Tuesday, February 27, 2001 11:34 AM
To: [email protected]
Subject: [FW1] FW-1 Loophole?



We are running an application in two DMZ's (DMZA, DMZB). The app is a dcomm
app
which uses Microsoft's transaction server to communicate from a server in
the
DMZ to a server on the private side.

The application is configured to communicate using UDP on ports 135 and a
range
from 4500 through 4550. This is setup via the registry on the servers in the
DMZ
and the private side.

We have a rule setup on Firewall-1 (4.1 SP2) in  DMZA  which allows the
specific
UDP ports (135, 4500-4550) through the firewall to the specific servers on
the
private side. The application works in this DMZ.

In our second DMZ  we have PIX firewalls not FW-1. The application is not
working in this DMZ. We are seeing drops on UDP port 1052 going from the DMZ
to
the private side. We don't have a rule set up for that specific port on
either
firewall so it makes sense that the PIX is dropping it. However when we
trace
the application we see the same kind of traffic in both DMZs.

It appears as if FW-1 in DMZA is allowing this protocol (UDP 1052) through
and
the PIX is not. We talked to CISCO about this problem and they indicated the
PIX
is working as designed. This leads us to believe that there may be a FW-1
problem.

Why is FW-1 allowing UDP 1052 through? We don't see anything in the firewall
log
to indicate it is being accepted.

Any help on this problem would be appreciated.




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.