[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Problem blocking CodeRed with http resource
Yeah, the rules are very similar. From the outside, a user would get this message when the nimbablock is installed (when you tried it, I had it disabled): Firewall-1: Failed to connect to www server If I take out the rule with the block, it all starts working again. >From the inside (proxy'd) it works regardless. Just coming from the outside. Have bounced and pushed a few times with this one. We had tried SP3 when it came out, but there is a problem with IPSEC in it that blew out our VPN... Thanks for the help regardless Bill -----Original Message----- From: dimitris.chontzopoulos [mailto:[email protected]] Sent: Monday, October 22, 2001 5:42 AM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource In my opinion the rules should look like... 1. Any -> DMZ-Web-Servers -> HTTP with Resource (Block Nimda) -> Drop 2. Any -> DMZ-Web-Servers -> HTTP -> Accept 3. Any -> DMZ-Web-Servers -> ANY -> Drop -> Long If the above is the exact configuration and it doesn't work, then you have a problem. Check to see if there are other rules blocking access from the Internet to your Web Servers. If not... I don't know... Try uninstalling the policy, bouncing the Firewall and reinstalling the policy. If these don't work i really don't know what else to say... Maybe you should upgrade to SP3. For the records i can connect without a problem to www.ensign-bickfordind.com and the pages roll out just fine. The above 3 rules should be at the top of the Rule base or just above your first rule that has to do with HTTP traffic. Under rule No.3 you can add all other services you want to accept (Source ANY at all times). -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Friday, October 19, 2001 8:39 PM To: [email protected] Cc: [email protected] Subject: RE: [FW-1] Problem blocking CodeRed with http resource I double checked everything. the closest I came was that if I put in rules to do it from NOT Localnet to ACTIVEWEBSERVERS, it works from the inside, but from the outside they get a connect connect to the web server response. In the logs, the outside attempts are being accepted by the rule that should allow then to get a page... ARRRRGGGGG -----Original Message----- From: dimitris.chontzopoulos [mailto:[email protected]] Sent: Thursday, October 18, 2001 3:53 PM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource This is regarding what i have configured. Name : Block-Http-Exploits Comment : Nimda-Sand-CodeRed Color : Dark Red Connection Methods : Transparent, Proxy Exception Track : Log or Alert (Anything that suites you) URI Match Specification Type : Wild Cards Match Scemes : HTTP, FTP, GOPHER, MAILTO, NEWS, WAIS, OTHER: * Match Methods : GET, POST, PUT, HEAD, OTHER: * Match Host : * Match Path : {*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.n ws} Match Query : * Action Replacement URI : http://http.Exploits.have.been.blocked.LoL Action CVP : No CVP, None Policy Editor : (Source) Any, (Destination) Any or Your Web Server(s), (Service) Http->Block-Http-Exploits, (Action) Drop, (Track) Long The above rule is to be installed ON TOP of your Rule Base or above the FIRST rule regarding Http traffic. DO NOT FORGET TO PUT THE BELOW : "(Source) Any, (Destination) Any or Your Web Server(s), (Service) Http, (Action) Drop, (Track) Long" "(Source) Any, (Destination) Your Web Server(s), (Service) Any, (Action) Drop, (Track) Long" E-mail me again to tell me if it works. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, October 18, 2001 9:11 PM To: [email protected] Subject: Re: [FW-1] Problem blocking CodeRed with http resource Yes, the original working rule is still in there. (Not localnet -> ActiveWebServers http accept) The blockage only occurs on http public net -> DMZ net It still works fine from private new -> DMZ net There is NAT running, but I dont see how it would hurt (of course I have been surprised before). -----Original Message----- From: dimitris.chontzopoulos [mailto:[email protected]] Sent: Thursday, October 18, 2001 12:57 PM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource Have you added a rule under the BlockNimda rule to allow the rest of the http traffic??? -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, October 18, 2001 5:11 PM To: [email protected] Subject: Re: [FW-1] Problem blocking CodeRed with http resource Ah thank you. Any idea why it is not working though? -----Original Message----- From: Werner.Brockhoven [mailto:[email protected]] Sent: Thursday, October 18, 2001 5:14 AM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource Hi, You'll also want to add readme.eml Regards, Werner -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, October 17, 2001 9:47 PM To: [email protected] Subject: [FW-1] Problem blocking CodeRed with http resource Hey all I picked up the way to do this out of an earlier thread and got it to work wonderfully - I thought. Once I had it in place (it being the following): ANY - ANY - NIMBABLOCK - DROP Where NIMBABLOCK is an Resource URI definition like: Connection methods: Transparent, Proxy Exception track: Log URI match: Wild Cards Schemes: http Methods: GET Host: * Path: {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*} Query: * Works great if I test it going out to the DMZ from inside, but coming in from the Internet to the DMZ it apparently is blocking all web traffic on this rule. From the inside to the DMZ it works perfectly Any help would be appreciated as my web server logs are filling with this fluff Bill (FW41-1, SP 2, HPUX) Bill Chmura Ensign-Bickford Industries, Inc. Information Technologies Department =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|