[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1 Loophole?
Joe, Are you sure it's being accepted? perhaps that port is not being used on the firewall-1 side, or there is a rule to allow any outbound from the DMZ in question. Snoop on the dmz interface, or some other packet sniffer could confirm the traffic. also look to see if this port 1052 is a source port for some udp which is allowed, perhaps the pix is dropping udp reply packets. Firewall-1 tries to make udp "stateful" by anticipating udp reply packets. --Mike. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, February 27, 2001 11:34 AM To: [email protected] Subject: [FW1] FW-1 Loophole? We are running an application in two DMZ's (DMZA, DMZB). The app is a dcomm app which uses Microsoft's transaction server to communicate from a server in the DMZ to a server on the private side. The application is configured to communicate using UDP on ports 135 and a range from 4500 through 4550. This is setup via the registry on the servers in the DMZ and the private side. We have a rule setup on Firewall-1 (4.1 SP2) in DMZA which allows the specific UDP ports (135, 4500-4550) through the firewall to the specific servers on the private side. The application works in this DMZ. In our second DMZ we have PIX firewalls not FW-1. The application is not working in this DMZ. We are seeing drops on UDP port 1052 going from the DMZ to the private side. We don't have a rule set up for that specific port on either firewall so it makes sense that the PIX is dropping it. However when we trace the application we see the same kind of traffic in both DMZs. It appears as if FW-1 in DMZA is allowing this protocol (UDP 1052) through and the PIX is not. We talked to CISCO about this problem and they indicated the PIX is working as designed. This leads us to believe that there may be a FW-1 problem. Why is FW-1 allowing UDP 1052 through? We don't see anything in the firewall log to indicate it is being accepted. Any help on this problem would be appreciated. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|