Re: [FW1] drops on service 2301

["Tim Holman" <tim_holman@FW1-NOSPAMhotmail.com>]

Rule 0 drops are usually down to:

    Machine in question misconfigured, or plugged into wrong network

    Connection dropped due to authentication failutre

    Packet is using IP Options

    Packet violated anti-spoof rules.

 

I remember problems with the Compaq Web Agent - it was performing directed broadcasts on its local network.  The latest version fixes this, however, in the end, I just disabled all Compaq management services as I didn't use them anyway.

 

Tim

----- Original Message -----

From: Tony Wong

To: Tim Holman

Sent: 02 April 2001 21:34

Subject: Re: [FW1] drops on service 2301

The service 2301 drops are actually on rule 0.  If i create a rule to drop this service,  will the packets even get to the rulebase if it is set to drop at rule 0?

 

btw, I created a rule before my stealth rule:

 

Compaq(10.0.0.5, 10.0.0.6, 10.10.10.10 etc...)        FIREWALL        DROP            NO LOG

 

But its still coming back

 

Thanks

----- Original Message -----

From: Tim Holman

To: Tony Wong ; fw1-wizards@lists.phoneboy.com ; fw-1-mailinglist@lists.us.checkpoint.com

Sent: Friday, February 02, 2001 2:32 PM

Subject: Re: [FW1] drops on service 2301

Create a rule to drop these packets without logging them...

They are down to the Compaq web agent I think - are you 100% sure you've disabled the services on each Compaq server you use ?

 

----- Original Message -----

From: Tony Wong

To: fw1-wizards@lists.phoneboy.com ; fw-1-mailinglist@lists.us.checkpoint.com

Sent: 02 April 2001 18:55

Subject: [FW1] drops on service 2301

I am getting a lot of drops on service 2301 from some of my servers that are internal but are behind an internal NT router.

 

The Service is: 2301

Source: 10.0.0.6, 10.0.0.5, etc...

Destination: 255.255.255.255

Protocol: UDP

RULE: 0

 

I have shut down ALL compaq management agents on all my servers as i was told what service 2301 was.  But this service still shows up as a drop in my logs.

 

These drops are showing up so often that it is growing my log at 1MB+/ day, and I had to do a frequent  fw logswitch or else I could not open my log viewer.

 

My internal net range is 192.100.101.0/24

 

But There are some servers on the 10.0.0.0/8 network

 

 

There is an NT router that separates these two internal networks.

 

 

FW--------192.100.101.0/24 ------------ NTROUTER ------10.0.0.0/8

 

 

We do not care about 10.0.0.0/8 as far as browsing the internet is concerned. We have not defined a network object for 10.0.0.0 on our firewall. But these drops keep showing up on my firewall logs.

 

Any help much appreciated.