Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Unknown established TCP packet

To: [email protected]
Subject: [FW1] Unknown established TCP packet
From: [email protected]
Date: Wed, 23 May 2001 08:42:58 +0200
Reply-to: [email protected]
Sender: [email protected]

Hello,

I have had problems with this new feature on FW-1 4.1 SP3 (Linux).
As far as I have learnt from Lance Spitzner, Phoneboy and this list
it is supposed to drop non-syn packets that are not an established
connection as far as the firewall is concerned (part state table).

This causes some problems. Client/Server applications using database
platforms like Oracle will have to reconnect, but will not work after reconnection
properly because of cursors (pointers).

Is it possible or recommendable to increase the TCP timeout beyond TCP
keepalive. And is TCP keepalive among the packets that will reset the
timeout timer of the state tables? Unless I do so I will have to disable
Checkpoints new feature.

Also, there seem to be bugs in the implementation of this feature, at least

as far as the Linux version is concerned.

Just look at this log export:

"11435"  "21May2001"  "13:36:45"  "eth2"  "localhost"  "log"  "accept"  "924"
 "nille.abcde.xy"  "ulysses.abcde.xy"  "tcp"  "3"  "930"  ""  ""  ""  ""  ""
 ""  ""  ""  ""  "firewall"  " len 48"  

The line says that TCP port 924 source port 930 is accepted. Then less than
three minutes later:

"11532"  "21May2001"  "13:39:01"  "eth2"  "localhost"  "log"  "drop"  "924"
 "nille.abcde.xy"  "ulysses.abcde.xy"  "tcp"  "0"  "930"  ""  ""  ""  ""  ""
 ""  ""  ""  ""  "firewall"  " reason: unknown established TCP packet"  

Packet with same TCP port and source port is dropped due to the "fact" that

is is not part of an established connection. I cannot see what I have done
to make this happen. To me it looks like nothing less than a bug.


Gandalf.


_______________________________________________________________________
Get your free @pakistanmail.com email address   http://pakistanmail.com


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Unknown established TCP packet
  - From: Shane Castle <[email protected]>
- Re: [FW1] Unknown established TCP packet
  - From: "Aylton Souza, CISSP" <[email protected]>

Prev by Date: [FW1] [LOG_CRIT] kernel: ex_expire on Nokia IP 330 + CPfw4.1 SP3
Next by Date: RE: [FW1] Secure Remote with NAT client
Previous by thread: [FW1] SMTP security server
Next by thread: Re: [FW1] Unknown established TCP packet
Index(es):
- Date
- Thread