| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Need some info: "Unknown established TCP packet"
According to the phoneboy site, it's a new "feature" of 4.1. I would not
disable it. While you do get a lot of errors, you will want to know if
it starts comine from another source all of a sudden.
I have resigned to pretty much just live with it. =)
Carric Dooley
Senior Consultant
COM2:Interactive Media
"But this one goes to eleven."
-- Nigel Tufnel
On Thu, 15 Mar 2001, Phillips, Corey wrote:
>
> I am experiencing the same error (FW-1 Ver-4.1 SP2 we are using RF barcode
> guns that have a battery save feature and when the gun connection is
> reestablished they are getting kicked off the network with this message). I
> have uncommented the line (like phoneboy suggests) with /*#define
> ALLOW_NON_SYN_RULEBASE_MATCH */ but we still see the error "Unknown
> established TCP packet".
>
> I have not been on the list that long but this seems like a re-occurring
> theme ("Unknown established TCP packet"). Is there anyone who has another
> fix?
>
> Thanks
>
> Corey Phillips
> IS Analyst
> Halla Climate Control Canada Inc.
> [email protected]
>
>
> -----Original Message-----
> From: Carey, Mike (ISS Southfield) [mailto:[email protected]]
> Sent: Tuesday, February 27, 2001 11:28 AM
> To: 'Matos, Armando'; '[email protected]'
> Subject: RE: [FW1] Need some info: "Unknown established TCP packet"
>
>
>
> Armando,
>
> The "correct" way to fix this problem is to repair the broken applications.
> These apps establish tcp sessions, then leave established sessions idle for
> long periods of time (greater than TCP_TIMEOUT). The correct fix would add
> tcp keepalives to the applications, or would switch the communication to udp
> where appropriate. That being said, no one ever fixes the app, it's always
> the firewall administrator who has to "fix" the problem.
>
> You should be able to modify the firewall's behavior by changing this
> section of fwui_head.def:
> /*
> * Uncomment the following line to enable TCP Non-SYN packet to go through
> * the rule-base.
> */
> /*#define ALLOW_NON_SYN_RULEBASE_MATCH */
>
> /*
> * Comment the following line to disable logging of TCP Non-SYN packets
> dropped
> * because they are not alowed to go through the rule-base
> */
> #define NON_SYN_RULEBASE_MATCH_LOG
>
> If you remove the /* */ from the line /*#define ALLOW_NON_SYN_RULEBASE_MATCH
> */ it should revert to the old style of processing non-syn packets.
> In previous versions the firewall would allow packets to pass with non-syn
> bits set, then wait for a response from the destination, if the response
> that came back was another non-syn packet, then the connection would be
> re-written into the state tables, if the response that came back was a reset
> packet then the firewall would not make any changes to the state tables.
>
> This security model works on the theory that a receiving host will only
> accept a non-syn packet that is part of an open socket on the system, and if
> the socket has closed, the host will send reset packets. This breaks down
> because of new tools which now exist, there are remote exploit tools which
> can be commanded by non-syn packets, and tools which can perform "reset"
> scans of networks. Because these packets were allowed and not logged,
> checkpoint took some serous heat for allowing non-syn packets. Now the new
> versions of checkpoint do not allow these packets.
>
> Keep in mind that if you make these modifications, you do so on the
> management server and the changes apply globally to all firewalls controlled
> by that management server.
>
> *******************************************************************
> Michael Carey [email protected]
> Internet Security Systems www.iss.net
> 3000 Town Center Suite 1100 Southfield, MI 48075
> Managed Firewall Services Engineer> *******************************************************************
> -----Original Message-----
> From: Matos, Armando [mailto:[email protected]]
> Sent: Monday, February 26, 2001 2:25 PM
> To: '[email protected]'
> Subject: [FW1] Need some info: "Unknown established TCP packet"
>
>
> We are running FW1 w/ sp2. We have three applications adversely affected by
> our new firewall. These applications work for a while, and then die. These
> applications are between DMZ's and all ports are open between these 2
> servers. The only thing we see in the log is the "Unknown established TCP
> packet" message. My understanding of what I read on phoneboy stated that
> this means the firewall no longer has a TCP session entry in its table for
> these packets. They also seemed to indicate that the older version of FW1
> actually attempted to restore this entry in the table before dropping the
> packet "on the floor". I was led to believe by what I read that this "fix"
> would make FW1 v4.1 sp2 run like the old method. Has anyone had this problem
> and/or workaround to the problem?? Are there any reasons why we shouldn't
> apply the fix suggested on phoneboy's website?? Thanks!!
>
> Armando
>
>
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
