[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] My experience with CPFW-1 and Legato / Solstice Backup
Not sure if this got through the first time - apologies if this is a repeat! For those who are interested, have tried this combination before, or are looking at doing so - this may be helpful.... Infact, what I will share here is probably applicable to other applications that behave in the same way that Solstice Backup does. And talks about one of the reasons that the 'unknown established TCP packet error' is generated. (This email is a bit of a story, that hopefully someone will find helpful! - apologies to those who aren't interested). We are running Checkpoint Firewall-1, 4.1 SP3 on a Solaris 2.6 box. Solstice Network Backup 6.0 would not work successfully through the firewall (and I can confirm that Legato 5.x has the same problem with this version and patchlevel of Checkpoint). Thanks to a couple of references on Phoneboy, and also Lance Spitzners whitepaper on how the Checkpoint state table works - I am now convinced of where the problem lies. 'Sniffing' either side of the network backups was a problem as huge quantities of data was involved. (Thank god Ethereal can filter on both the capture and the read in! ;)) The backups would not fail if they were very small - pointing at a timeout issue. For the bigger backups, I would get the famous 'unknown established TCP packet' error in my logs - and the backups would hang, and complain that they didn't finish successfully. Looking at the packets that were being 'dropped' - the data segment contained a simple message saying "backup completed at: <time>". It was the notification from the client to the backup server saying that the particular save-set was finished. The flags on this packet were: FIN, PSH, ACK. If you have read Spitzners FAQ, you will know that the change made in SP3 causes Checkpoint Firewall to only check SYN packets against the rulebase (if no current state entry exists), to see if one should be added. Unfortunately, even though our TCP Timeout was set at 2 hours, Checkpoint firewall does not raise the state table entry timeout to this level _until_ some data has been pushed through the connection. This means that any application that connects with a standard 3 way handshake (SYN --> SYN-ACK --> ACK), only generates a state table entry with a timeout equivalent to the 'tcpstarttimeout' option (defined in $FWDIR/conf/objects.C). By default this is 60 seconds. If the said application fails to push any data through the connection before this timer expires, the state is dropped. Then when it decides it is ready to send data (i.e. the backup completion notification), the state table is checked, the flags on the packet are examined (non-SYN!) and the packet is happily discarded. The good thing about this behaviour is it makes it fairly difficult to try and DoS the firewall by filling its state table. (Assuming SYN-defender is running i guess). Solstice Network / Legato Backup uses a heap of control connections as it backs up a remote machine. One of these connections is simply the completion notification - and the 3 way handshake occurs at the begining of the backup process. Once the connection is established, no data is passed until the backup completes. (It would not surprise me to find other applications that behave similarly). 2 fixes for this problem were: a) raise the tcpstarttimeout to some ridiculous size and leave the state table vulnerable to flooding. b) make the change suggested on Phoneboy ($FWDIR/lib/fwui_head.def) to allow non-SYN packets to me matched against the rulebase. We have since made the second change as a temporary solution, however this is fairly unacceptable. It basically renders a heap of CPFW-1's functionality to 'packet-filtering' status, and increases the chance for Denial-of-Service (remember SYN-Defender only matches _SYN_ packets! :)) The final outcome has been that: A change request has gone back to Sun / Legato to implement a keep-alive into their backup software, to keep Checkpoint happy. And also a message has (hopefully) gone through the Checkpoint describing the situation and asking for their comment. I can prove that the change we have made allows me to DoS Checkpoints state table if I have control of 1 box inside and 1 box outside the network. Hope some of this helps someone!! It was certainly a learning experience for me. Don't hesitate to drop me a message if you have any more questions about this particular problem - I'll help if I can. Cheers, -jonny ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|