[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Strange Rule 0 behavior
Are you Sync'ing the tables between the 2 machines? ----- Original Message ----- From: "bob odenkirk" <[email protected]> To: <[email protected]> Sent: Friday, August 24, 2001 1:11 PM Subject: [FW1] Strange Rule 0 behavior > > Hello, > We have a FW-1 4.1 SP 3. We are using Stonebeat Full > cluster for high availability( 2.0.2035 SP03a). Our > platform is Solaris 7. I have a rule set up to allow > DNS, SSH, SMTP, IMAPS from my home machine(static IP) > to a machine behind the firewall. The machine behind > the firewall that I am trying to access for the above > services has a public IP so there is no NAT involved. > I can use the DNS service from home without a problem. > However all the other services will time out when > trying to access them from my home. Here is a snoop > session in which I am trying to access SSH from home > to the machine behind the firewall. The snoop was run > on the machine running the SSH service that resides > behind the firewall: > > 206.150.228.61 = home machine > catfish.jmq.net = SSH Host > > 206.150.228.61 -> catfish.jmq.net TCP D=22 S=2743 Syn > Seq=21581 > 68247 Len=0 Win=16384 Options=<mss > 1460,nop,nop,sackOK> > > > catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn > Ack=21581 > 68248 Seq=Len=0 Win=33580 > Options=<nop,nop,sackOK,mss 1460> > > 206.150.228.61 -> catfish.jmq.net TCP D=22 S=2743 Syn > Seq=21581 > 68247 Len=0 Win=16384 Options=<mss > 1460,nop,nop,sackOK> > > > > catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 > Ack=21581 > 68248 Seq=Len=0 Win=33580 > > > > catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn > Ack=21581 > 68248 Seq=Len=0 Win=33580 > Options=<nop,nop,sackOK,mss 1460> > > > 206.150.228.61 -> catfish.jmq.net TCP D=22 S=2743 Syn > Seq=21581 > 68247 Len=0 Win=16384 Options=<mss > 1460,nop,nop,sackOK> > > > catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 > Ack=21581 > 68248 Seq=Len=0 Win=33580 > > > > catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn > Ack=21581 > 68248 Seq=Len=0 Win=33580 > Options=<nop,nop,sackOK,mss 1460> > > > > catfish.jmq.net -> 206.150.228.61 TCP D=2743 S=22 Syn > Ack=21581 > 68248 Seq=Len=0 Win=33580 > Options=<nop,nop,sackOK,mss 1460> > > > > > Interesting enough when I look through the logs all > the packets originating from my machine to SSH machine > will be dropped because of "rule 0 Unknown Established > TCP Packet." This is odd since I see the syn packet > from my machine making it to the SSH host behind the > firewall. I would think that if FW-1 let the syn > packet through that it would create an entry in its > state table. So why this would be "Unknown Established > TCP packet" is beyone me. I must add that I am able to > SSH from the SSH Host behind the firewall to my > machine at home without problem. I thought this might > be a case of asymetric routing so I took the second > firewall in the Stonebeat Full Cluster offline but > this situation persisted. If anyone could give me any > feedback I would greatly appreciate it. Thanks > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|