[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Strange Rule 0 behavior
Hello, We have a FW-1 4.1 SP 3. We are using Stonebeat Full cluster for high availability( 2.0.2035 SP03a). Our platform is Solaris 7. I have a rule set up to allow DNS, SSH, SMTP, IMAPS from my home machine(static IP) to a machine behind the firewall. The machine behind the firewall that I am trying to access for the above services has a public IP so there is no NAT involved. I can use the DNS service from home without a problem. However all the other services will time out when trying to access them from my home. Here is a snoop session in which I am trying to access SSH from home to the machine behind the firewall. The snoop was run on the machine running the SSH service that resides behind the firewall: 206.150.228.61 = home machine catfish.jmq.net = SSH Host 206.150.228.61 -> catfish.jmq.net TCP D=22 S=2743 Syn Seq=21581 68247 Len=0 Win=16384 Options=<mss 1460,nop,nop,sackOK> catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn Ack=21581 68248 Seq=Len=0 Win=33580 Options=<nop,nop,sackOK,mss 1460> 206.150.228.61 -> catfish.jmq.net TCP D=22 S=2743 Syn Seq=21581 68247 Len=0 Win=16384 Options=<mss 1460,nop,nop,sackOK> catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Ack=21581 68248 Seq=Len=0 Win=33580 catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn Ack=21581 68248 Seq=Len=0 Win=33580 Options=<nop,nop,sackOK,mss 1460> 206.150.228.61 -> catfish.jmq.net TCP D=22 S=2743 Syn Seq=21581 68247 Len=0 Win=16384 Options=<mss 1460,nop,nop,sackOK> catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Ack=21581 68248 Seq=Len=0 Win=33580 catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn Ack=21581 68248 Seq=Len=0 Win=33580 Options=<nop,nop,sackOK,mss 1460> catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn Ack=21581 68248 Seq=Len=0 Win=33580 Options=<nop,nop,sackOK,mss 1460> Interesting enough when I look through the logs all the packets originating from my machine to SSH machine will be dropped because of "rule 0 Unknown Established TCP Packet." This is odd since I see the syn packet from my machine making it to the SSH host behind the firewall. I would think that if FW-1 let the syn packet through that it would create an entry in its state table. So why this would be "Unknown Established TCP packet" is beyone me. I must add that I am able to SSH from the SSH Host behind the firewall to my machine at home without problem. I thought this might be a case of asymetric routing so I took the second firewall in the Stonebeat Full Cluster offline but this situation persisted. If anyone could give me any feedback I would greatly appreciate it. Thanks __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|