[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Need some info: "Unknown established TCP packet"
According to the phoneboy site, it's a new "feature" of 4.1. I would not disable it. While you do get a lot of errors, you will want to know if it starts comine from another source all of a sudden. I have resigned to pretty much just live with it. =) Carric Dooley Senior Consultant COM2:Interactive Media "But this one goes to eleven." -- Nigel Tufnel On Thu, 15 Mar 2001, Phillips, Corey wrote: > > I am experiencing the same error (FW-1 Ver-4.1 SP2 we are using RF barcode > guns that have a battery save feature and when the gun connection is > reestablished they are getting kicked off the network with this message). I > have uncommented the line (like phoneboy suggests) with /*#define > ALLOW_NON_SYN_RULEBASE_MATCH */ but we still see the error "Unknown > established TCP packet". > > I have not been on the list that long but this seems like a re-occurring > theme ("Unknown established TCP packet"). Is there anyone who has another > fix? > > Thanks > > Corey Phillips > IS Analyst > Halla Climate Control Canada Inc. > [email protected] > > > -----Original Message----- > From: Carey, Mike (ISS Southfield) [mailto:[email protected]] > Sent: Tuesday, February 27, 2001 11:28 AM > To: 'Matos, Armando'; '[email protected]' > Subject: RE: [FW1] Need some info: "Unknown established TCP packet" > > > > Armando, > > The "correct" way to fix this problem is to repair the broken applications. > These apps establish tcp sessions, then leave established sessions idle for > long periods of time (greater than TCP_TIMEOUT). The correct fix would add > tcp keepalives to the applications, or would switch the communication to udp > where appropriate. That being said, no one ever fixes the app, it's always > the firewall administrator who has to "fix" the problem. > > You should be able to modify the firewall's behavior by changing this > section of fwui_head.def: > /* > * Uncomment the following line to enable TCP Non-SYN packet to go through > * the rule-base. > */ > /*#define ALLOW_NON_SYN_RULEBASE_MATCH */ > > /* > * Comment the following line to disable logging of TCP Non-SYN packets > dropped > * because they are not alowed to go through the rule-base > */ > #define NON_SYN_RULEBASE_MATCH_LOG > > If you remove the /* */ from the line /*#define ALLOW_NON_SYN_RULEBASE_MATCH > */ it should revert to the old style of processing non-syn packets. > In previous versions the firewall would allow packets to pass with non-syn > bits set, then wait for a response from the destination, if the response > that came back was another non-syn packet, then the connection would be > re-written into the state tables, if the response that came back was a reset > packet then the firewall would not make any changes to the state tables. > > This security model works on the theory that a receiving host will only > accept a non-syn packet that is part of an open socket on the system, and if > the socket has closed, the host will send reset packets. This breaks down > because of new tools which now exist, there are remote exploit tools which > can be commanded by non-syn packets, and tools which can perform "reset" > scans of networks. Because these packets were allowed and not logged, > checkpoint took some serous heat for allowing non-syn packets. Now the new > versions of checkpoint do not allow these packets. > > Keep in mind that if you make these modifications, you do so on the > management server and the changes apply globally to all firewalls controlled > by that management server. > > ******************************************************************* > Michael Carey [email protected] > Internet Security Systems www.iss.net > 3000 Town Center Suite 1100 Southfield, MI 48075 > Managed Firewall Services Engineer> ******************************************************************* > -----Original Message----- > From: Matos, Armando [mailto:[email protected]] > Sent: Monday, February 26, 2001 2:25 PM > To: '[email protected]' > Subject: [FW1] Need some info: "Unknown established TCP packet" > > > We are running FW1 w/ sp2. We have three applications adversely affected by > our new firewall. These applications work for a while, and then die. These > applications are between DMZ's and all ports are open between these 2 > servers. The only thing we see in the log is the "Unknown established TCP > packet" message. My understanding of what I read on phoneboy stated that > this means the firewall no longer has a TCP session entry in its table for > these packets. They also seemed to indicate that the older version of FW1 > actually attempted to restore this entry in the table before dropping the > packet "on the floor". I was led to believe by what I read that this "fix" > would make FW1 v4.1 sp2 run like the old method. Has anyone had this problem > and/or workaround to the problem?? Are there any reasons why we shouldn't > apply the fix suggested on phoneboy's website?? Thanks!! > > Armando > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|