[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Problem blocking CodeRed with http resource
Rule LOCALNET -> ActiveWebServers -> ANY -> DROP is incorrect because you have ANY -> ActiveWebServers -> http -> ACCEPT... That means that you accept connections from your LOCALNET to ActiveWebServers.... :-(. In my opinion you should try these rules... 1. ANY -> ActiveWebServers -> Nimdablock -> Drop 2. LOCALNET (Negate) -> ActiveWebServers -> HTTP -> ACCEPT 3. LOCALNET -> ActiveWebServers -> FTP -> ACCEPT 4. ANY -> ActiveWebServers -> ANY -> DROP -> LONG Rule 1. rejects traffic matching NimdaBlock Resource Rule 2. Accepts traffic to HTTP EXCEPT traffic from LOCALNET Rule 3. Accepts traffic to FTP ONLY FROM LOCALNET Rule 4. Drops and logs all other connections from anywhere to the ActiveWebServers for every other services. Use it and let me know if it working or not ;-) Kind Regards, Dimitris Chontzopoulos IS Administrator Megatrust Securities S.A. 4, Kapsali Str. Athens, Greece Telephone : +3 01 7262403 Fax : +3 01 7262095 e-mail : [email protected] IT Help Desk Support : +3 01 7262400 DISCLAIMER ---------------------------------------------------------------------------- --------------- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. ---------------------------------------------------------------------------- --------------- -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, October 23, 2001 7:54 PM To: [email protected] Subject: Re: [FW-1] Problem blocking CodeRed with http resource Actually I dont have that anymore and I still suffer the problem... The rules are now: ANY -> ActiveWebServers -> Nimbablock -> DROP ANY -> ActiveWebServers -> http -> ACCEPT LOCALNET -> ActiveWebServrs -> FTP -> ACCEPT LOCALNET -> ActiveWebServers -> ANY -> DROP And I still suffer this fate... Would what you are saying still cause this problem? -----Original Message----- From: ychapman [mailto:[email protected]] Sent: Monday, October 22, 2001 7:02 PM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource That is because your rule is > (Not localnet -> ActiveWebServers http accept) and I believe the "localnet" includes the address of firewall or the server itself has ACL to reject the access from firewall. When you use URI rule, the firewall works as proxy so the source address becomes the address of firewall, not the original source address. That's why the client receives an error message from firewall, not from the server or the browser. > Firewall-1: Failed to connect to www server ========================= Yuriko Chapman Systems Engineer Xerox Palo Alto Research Center 3333 Coyote Hill Rd. Palo Alto, CA 94304-1314 > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Thursday, October 18, 2001 9:11 PM > To: [email protected] > Subject: Re: [FW-1] Problem blocking CodeRed with http resource > > > Yes, the original working rule is still in there. > (Not localnet -> ActiveWebServers http accept) > > > The blockage only occurs on http public net -> DMZ net > It still works fine from private new -> DMZ net > > There is NAT running, but I dont see how it would hurt (of > course I have > been surprised before). > > > > -----Original Message----- > From: dimitris.chontzopoulos > [mailto:[email protected]] > Sent: Thursday, October 18, 2001 12:57 PM > To: FW-1-MAILINGLIST > Subject: Re: [FW-1] Problem blocking CodeRed with http resource > > > Have you added a rule under the BlockNimda rule to allow the > rest of the > http traffic??? > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Thursday, October 18, 2001 5:11 PM > To: [email protected] > Subject: Re: [FW-1] Problem blocking CodeRed with http resource > > > Ah thank you. > > Any idea why it is not working though? > > -----Original Message----- > From: Werner.Brockhoven [mailto:[email protected]] > Sent: Thursday, October 18, 2001 5:14 AM > To: FW-1-MAILINGLIST > Subject: Re: [FW-1] Problem blocking CodeRed with http resource > > > Hi, > > You'll also want to add readme.eml > > Regards, > > Werner > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Wednesday, October 17, 2001 9:47 PM > To: [email protected] > Subject: [FW-1] Problem blocking CodeRed with http resource > > > Hey all > > I picked up the way to do this out of an earlier thread and got it to > work wonderfully - I thought. > > Once I had it in place (it being the following): > > ANY - ANY - NIMBABLOCK - DROP > > Where NIMBABLOCK is an Resource URI definition like: > > Connection methods: Transparent, Proxy > Exception track: Log > URI match: Wild Cards > Schemes: http > Methods: GET > Host: * > Path: > {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*} > Query: * > > Works great if I test it going out to the DMZ from inside, > but coming in > from the Internet to the DMZ it apparently is blocking all web traffic > on this rule. From the inside to the DMZ it works perfectly > > Any help would be appreciated as my web server logs are filling with > this fluff > > Bill (FW41-1, SP 2, HPUX) > > > > > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|