Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] RE: unknown established tcp packet

To: "Thomas Leong" <[email protected]>, <[email protected]>
Subject: RE: [FW1] RE: unknown established tcp packet
From: "Ryan Nobrega" <[email protected]>
Date: Tue, 31 Jul 2001 10:25:27 -0400
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]

Hi Thomas,

I received the following explanation from Checkpoint.  This problem occurs
most often when a user ends a session without the session having a chance to
finish a FIN sequence.  For example a user is browsing the web and suddenly
exits out of his browser the session ends as far as FW1 is concerned but the
other end keeps trying to send data, that is when you get the infamous
'unknown established tcp packet' in your logs.

Checkpoints two solutions are this:

/*
 * Uncomment the following line in fwui_head.def to enable TCP Non-SYN
packet to go through the rule-base.
 */
/*#define ALLOW_NON_SYN_RULEBASE_MATCH */

This basically strips all of the data out of the packet and then sends it
through to its destination.  This allows the destination host to receive the
packet and send a retransmit in turn re-establishing the connection.
Checkpoint claims this is safe but in my opinion it leaves you open for a
possible DoS attack.

/*
 * Comment the following line in fwui_head.def to disable logging of TCP
Non-SYN packets dropped because they are not allowed to go through the
rule-base.
 */
#define NON_SYN_RULEBASE_MATCH_LOG

This in my opinion is probably your best solution.  You prevent a Non-SYN
packet from flowing through your firewall but at the same time you don't
have to worry about getting logs or alerts notifying you that this has
happened.  This is currently what I do and have yet to see this cause any
problems or performance degradation at my location.

I hope this helps,
-Ryan Nobrega
-Systems/Security Manager
-Southern CT State University


-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Thomas Leong
Sent: Monday, July 30, 2001 5:00 AM
To: [email protected]
Subject: [FW1] RE: unknown established tcp packet



I have encountered the same problem too (in Jan), I have no choice but to
uncomment the line as mentiones in the phoneboy faq. Has anyone try to
contact Checkpoint on this issue? I have tried over here, but no results.
This problem started in SP2, it is supposed to be a "better way" to secure
the state table, but yet it gives more problems. It seems to me, SP4 has
the same problem, I thought SP4 should have solve this problem. What about
duplicate objects? can you please elaborate more on this? I guess lots of
ppl are interested in this.

regards
Thomas

-----Original Message-----
From:	Aylton Souza, CISSP [SMTP:[email protected]]
Sent:	Friday, July 27, 2001 9:28 PM
To:	Ray Lodato; 'Dorny'; [email protected]
Subject:	Re: [FW1] Fw: unknown established tcp packet


Guys,

I have worked with several cases in which the problem was related to
duplicate objects and it caused this behavior,

I suggest you take a look on that.

Best regards

aylton
----- Original Message -----
From: Ray Lodato
To: 'Dorny' ; [email protected]
Sent: Thursday, July 26, 2001 5:23 PM
Subject: RE: [FW1] Fw: unknown established tcp packet


I ran into exactly the same situation when I upgraded to SP3. Check out
http://www.phoneboy.com/faq/0408.html. As of SP3, the default is to drop
packets for connections not in the connection table. Prior to SP3, it
would try to match up the connection with an existing rule. The FAQ has
you uncomment the line "#define ALLOW_NON_SYN_RULEBASE_MATCH" in
fwui_head.def, and re-push the policy.

Now, if someone could tell me why the connections are falling out of the
connection table so soon, that would help.

Ray Lodato
NEF Information [email protected]
-----Original Message-----
From: Dorny [mailto:[email protected]]
Sent: Wednesday, July 25, 2001 8:55 PM
To: [email protected]
Subject: [FW1] Fw: unknown established tcp packet


Once again another e-mail titled unknown established tcp packet.  I have
looked through the list but I was not able to find a definitive solution
for
this error.  Here is my problem after applying the latest check point
service pack (SP4) I began seeing my logs fill up with dropped packets by
rule 0 with the unknown TCP error.  Now I have customers telling me that
they cannot ssh, run restores, ect through their firewalls which upon
further investigation I noticed that all the packets were being dropped by
rule 0.  I am also seeing lots of in-bound packet to customer web sites
being dropped by rule 0 with the same error.  None of this was happening
when I was at SP 1 or 2.  Anyone out there have a solution for this????

--Richard Dornhart



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] RE: unknown established tcp packet
  - From: "Thomas Leong" <[email protected]>

Prev by Date: Re: [FW1] Nokia bootmgr upgrade?
Next by Date: [FW1] ntp-udp broadcast
Previous by thread: [FW1] RE: unknown established tcp packet
Next by thread: [FW1] fwrules60
Index(es):
- Date
- Thread