Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Problem blocking CodeRed with http resource

To: [email protected]
Subject: Re: [FW-1] Problem blocking CodeRed with http resource
From: "Chontzopoulos, Dimitris" <[email protected]>
Date: Wed, 24 Oct 2001 12:16:31 +0300
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Rule LOCALNET -> ActiveWebServers -> ANY -> DROP is incorrect because you
have ANY -> ActiveWebServers -> http -> ACCEPT... That means that you accept
connections from your LOCALNET to ActiveWebServers.... :-(.
In my opinion you should try these rules...

1. ANY -> ActiveWebServers -> Nimdablock -> Drop
2. LOCALNET (Negate) -> ActiveWebServers -> HTTP -> ACCEPT
3. LOCALNET -> ActiveWebServers -> FTP -> ACCEPT
4. ANY -> ActiveWebServers -> ANY -> DROP -> LONG

Rule 1. rejects traffic matching NimdaBlock Resource
Rule 2. Accepts traffic to HTTP EXCEPT traffic from LOCALNET
Rule 3. Accepts traffic to FTP ONLY FROM LOCALNET
Rule 4. Drops and logs all other connections from anywhere to the
ActiveWebServers for every other services.
Use it and let me know if it working or not ;-)



Kind Regards,




Dimitris Chontzopoulos
IS Administrator



Megatrust Securities S.A.
4, Kapsali Str.
Athens, Greece
Telephone : +3 01 7262403
Fax       : +3 01 7262095
e-mail    : [email protected]

IT Help Desk Support : +3 01 7262400

DISCLAIMER
----------------------------------------------------------------------------
---------------
This message contains confidential information and is intended only
for the individual named.  If you are not the named addressee you
should not disseminate, distribute or copy this e-mail.  Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses.  The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission.  If
verification is required please request a hard-copy version.  This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
----------------------------------------------------------------------------
---------------




-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Tuesday, October 23, 2001 7:54 PM
To: [email protected]
Subject: Re: [FW-1] Problem blocking CodeRed with http resource


Actually I dont have that anymore and I still suffer the problem...

The rules are now:
ANY -> ActiveWebServers -> Nimbablock -> DROP
ANY -> ActiveWebServers -> http -> ACCEPT
LOCALNET -> ActiveWebServrs -> FTP -> ACCEPT
LOCALNET -> ActiveWebServers -> ANY -> DROP

And I still suffer this fate...

Would what you are saying still cause this problem?


-----Original Message-----
From: ychapman [mailto:[email protected]]
Sent: Monday, October 22, 2001 7:02 PM
To: FW-1-MAILINGLIST
Subject: Re: [FW-1] Problem blocking CodeRed with http resource


That is because your rule is
> (Not localnet -> ActiveWebServers http accept)
and I believe the "localnet" includes the address of firewall
or the server itself has ACL to reject the access from firewall.
When you use URI rule, the firewall works as proxy
so the source address becomes the address of firewall,
not the original source address.
That's why the client receives an error message from firewall,
not from the server or the browser.
> Firewall-1: Failed to connect to www server

=========================
Yuriko Chapman
Systems Engineer
Xerox Palo Alto Research Center
3333 Coyote Hill Rd. Palo Alto, CA  94304-1314


> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]
> Sent: Thursday, October 18, 2001 9:11 PM
> To: [email protected]
> Subject: Re: [FW-1] Problem blocking CodeRed with http resource
>
>
> Yes, the original working rule is still in there.
> (Not localnet -> ActiveWebServers http accept)
>
>
> The blockage only occurs on http public net -> DMZ net
> It still works fine from private new -> DMZ net
>
> There is NAT running, but I dont see how it would hurt (of
> course I have
> been surprised before).
>
>
>
> -----Original Message-----
> From: dimitris.chontzopoulos
> [mailto:[email protected]]
> Sent: Thursday, October 18, 2001 12:57 PM
> To: FW-1-MAILINGLIST
> Subject: Re: [FW-1] Problem blocking CodeRed with http resource
>
>
> Have you added a rule under the BlockNimda rule to allow the
> rest of the
> http traffic???
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]
> Sent: Thursday, October 18, 2001 5:11 PM
> To: [email protected]
> Subject: Re: [FW-1] Problem blocking CodeRed with http resource
>
>
> Ah thank you.
>
> Any idea why it is not working though?
>
> -----Original Message-----
> From: Werner.Brockhoven [mailto:[email protected]]
> Sent: Thursday, October 18, 2001 5:14 AM
> To: FW-1-MAILINGLIST
> Subject: Re: [FW-1] Problem blocking CodeRed with http resource
>
>
> Hi,
>
> You'll also want to add readme.eml
>
> Regards,
>
> Werner
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]
> Sent: Wednesday, October 17, 2001 9:47 PM
> To: [email protected]
> Subject: [FW-1] Problem blocking CodeRed with http resource
>
>
> Hey all
>
> I picked up the way to do this out of an earlier thread and got it to
> work wonderfully - I thought.
>
> Once I had it in place (it being the following):
>
> ANY - ANY - NIMBABLOCK - DROP
>
> Where NIMBABLOCK is an Resource URI definition like:
>
> Connection methods:  Transparent, Proxy
> Exception track: Log
> URI match: Wild Cards
> Schemes: http
> Methods: GET
> Host: *
> Path:
> {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*}
> Query: *
>
> Works great if I test it going out to the DMZ from inside,
> but coming in
> from the Internet to the DMZ it apparently is blocking all web traffic
> on this rule.  From the inside to the DMZ it works perfectly
>
> Any help would be appreciated as my web server logs are filling with
> this fluff
>
> Bill (FW41-1, SP 2, HPUX)
>
>
>
>
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP!!!!!!!!!
Next by Date: Re: [FW-1] FW-1 behind ADSL
Previous by thread: Re: [FW-1] Problem blocking CodeRed with http resource
Next by thread: [FW-1] Using ACE/Radius with Cisco Altiga
Index(es):
- Date
- Thread