[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Cannot Compile
Hi Yves, Actually this is the real problem we are facing now. I have tried to do what you advised to : First: Name: SMTP-Reject_dest Comment: Reject common redirection characters Exception Track: Log Notify Sender On Error Match Recipient: *{*%*,*!*}* Strip MIME of type: Don't Accept Mail Larger Than 999999 KB CVP Server Anti_Virus CVP Read/Write Allowed Chars: 8-bit When we typed *{*%*,*!*}* in the Match Recipient we found "invalid match or ... something like that". Then I let it blank. For the second resource we have no problem defining them. When we installed (compiled) the new rules. The following error occured : Standard.W: Security Policy Script generated into Standard.pf Standard: "C:\WINNT\FW\conf\Standard.pf", line 584: ERROR: macro identifier <smtp> redefined "C:\WINNT\FW\conf\Standard.pf", line 629: ERROR: cannot expand macro <smtp> "C:\WINNT\FW\conf\Standard.pf", line 692: ERROR: cannot find <table_target_list9> anywhere Compilation Failed. Finally we tried to remove the two rules and reinstalled again. Now there is no error found, but there is no transaction found in the log viewer like normally. Most of the fields have no contents at all (before I found this error, the log can record any transaction thru the firewall). I am rather worried and don't know whether this FW is working properly or not. After that we tried to create another simple resource & rule like : >I have created a resource : > > Name: AntiSpamming > Exception Track: None > Match Sender: {*@vhost.*} > Don't Accept Mail Larger Than 1000 KB > CVP (no server installed) > CVP None > Allowed Chars: 8-bit > >With the two following roule: > >Source Destination Service Action Install on >any SMTP smtp->SMTP-AntiSpamming Reject OurFW Same error found when installed the rule. These are the complete history of our mails. Perhaps related question with this mail : We use Check Point FireWall-1 version 4.0 running on NT4.0 To deploy CVP in the FW-1, do we need another software besides the FW-1? Thank you very much for sharing your idea. Best regards, Suriyanto Yves Belle-Isle <[email protected]> on 11/29/2001 09:10:30 PM Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: (bcc: Suriyanto Limah/AIN/ACI) Subject: Re: [FW-1] Smtp Resource FW-1 NG First you have to block SMTP relaying on the Notes Box and if you use a SMTP Security server (Like for CVP) you need to block those on the FW-1 in a SMTP Security ressource too because by default the FW-1 SMTP Security server is wide open to SMTP relaying. I have a SMTP/POP3 post.office server running on a box, before i install a FW-1 in front of it it was fully closed to unwanted SMTP relaying by ising rules in the post.office SMTP relay. When we put the FW-1 in front of it, it was fine too, but as soon as i added a SMTP Security server in a ressource to use CVP (for virus checking) it became wide open to SMTP relaying until i change my SMTP Security ressources to: First: Name: SMTP-Reject_dest Comment: Reject common redirection characters Exception Track: Log Notify Sender On Error Match Recipient: *{*%*,*!*}* Strip MIME of type: Don't Accept Mail Larger Than 999999 KB CVP Server Anti_Virus CVP Read/Write Allowed Chars: 8-bit Second: Name: SMTP-RCV Comment: Receive email for our domains Exception Track: Log Notify Sender On Error Match Recipient: {*@ourdomain_1.com,...,*@ourdomain_N.com} Strip MIME of type: Don't Accept Mail Larger Than 999999 KB CVP Server Anti_Virus CVP Read/Write Allowed Chars: 8-bit With the two following roules: Source Destination Service Action Track Comment any our_SMTP_Server smtp -> SMTP-Reject_dest Reject Long EMAIL with redirect characters any our_SMTP_Server smtp -> SMTP-RCV Accept Long EMAIL for our domains All other incoming traffic is dropped by the catch all rule. If we put only the second rule with nothing in the Match Recepient, anyone can do SMTP relay thru our FW-1 Security server ! At 14:13 2001-11-29 +0700, Suriyanto Limah wrote: >So far we have setup the Notes Box so any relay will be rejected >automatically. >But this attack still make the server very busy... > >Do you have any another idea to solve this. > >Thanks >Suriyanto > > >Rocky Stefano <[email protected]> on 11/29/2001 11:03:15 AM > >Please respond to Mailing list for discussion of Firewall-1 > <[email protected]> > > > To: [email protected] > > cc: (bcc: Suriyanto Limah/AIN/ACI) > > Subject: Re: [FW-1] Smtp Resource FW-1 NG > >Don't use Checkpoint to fix the crap your notes server won't do. Fix the >relay on your notes box > >----- Original Message ----- >From: "Suriyanto Limah" <[email protected]> >To: <[email protected]> >Sent: Wednesday, November 28, 2001 8:51 PM >Subject: Re: [FW-1] Smtp Resource FW-1 NG > > >> Hi Matt, >> >> We have the same problem with you. Now our Notes SMTP used by outsider as >> relay. >> Could you please tell me how to configure a rule to stop this action? >> >> I use Check Point FW-1 version 4.0. >> >> Thanks >> Suriyanto >> >> >> Matthew Hale <[email protected]> on 11/29/2001 06:33:28 AM >> >> Please respond to Mailing list for discussion of Firewall-1 >> <[email protected]> >> >> >> To: [email protected] >> >> cc: (bcc: Suriyanto Limah/AIN/ACI) >> >> >> Subject: [FW-1] Smtp Resource FW-1 NG >> >> >> Hi, >> >> I have a Checkpoint FW-1 NG firewall configured with a rule which uses >> an smtp resource to stop people using my machines as a relay, i have >> configured the resource to allow mails up to 100000kb. Heres the >> >> problem:- when i send a samll mail say less than 1mb the mail is >> transfered to the mail server ok, When i send a mail (from an external >> mail account) with an attachment say 2mb it bounces back to me saying >> 'to much data'. I used Checkpoint FW-1 4.1 for 2 years with this very >> same rule and had no problems. Has anyone seen this problem with NG? i >> did a fresh install of NG on a compaq server running Redhat 7. >> >> Thanks >> >> Matt >> ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== Yves Belle-Isle <[email protected]> on 12/20/2001 10:42:42 PM Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: (bcc: Suriyanto Limah/AIN/ACI) Subject: Re: [FW-1] Cannot Compile In a security server, use Reject or Drop in a rule, both generate a Reject in the log, because the firewall can't drop the SMTP connection request it has to accept it, open it, and read it before it can decide if it accept or reject it based on the email address and mime types used in the email. So the real action can't be drop. For an analogy, how can you know who for sure who is calling you without answering the call (yourself or your answering machine) even if you have caller id ? You can't, you have to first answer it to hear the other person and identify it. So as soon as a packet as to pass in a security server rule, even if it is dropped in a normal rule (maybe the catch all one) iin fact it will be rejected as you can verify in the action field of your log file. Then *{*@vhost ²}* mean: is anything followed by anything followed by any of: anything followed by @vhost followed by anything followed by anything While {*@vhost²} mean is any of: anything followed by @vhost followed by anything which are the same... As i missed the inital email i don't know what is the problem but i am not sure this is not the solution, sorry... Can i have the original email again ? At 10:59 2001-12-20 +0200, Chontzopoulos, Dimitris wrote: >For starters, the "Action" shouldn't be "Reject". The "Action" on resources >should always be "Drop". >IMHO the "Match Sender" should be "*{*@vhost*}*". I may be wrong though... > >-----Original Message----- >From: Suriyanto Limah [mailto:[email protected]] >Sent: Thursday, December 20, 2001 4:46 AM >To: [email protected] >Subject: Re: [FW-1] Cannot Compile > > >Hi.. > >I have created a resource : > > Name: AntiSpamming > Exception Track: None > Match Sender: {*@vhost.*} > Don't Accept Mail Larger Than 1000 KB > CVP (no server installed) > CVP None > Allowed Chars: 8-bit > >With the two following roule: > >Source Destination Service Action Install on >any SMTP smtp->SMTP-AntiSpamming Reject OurFW > > > >regards, >Suriyanto > > > > > > > > >"Roelandts, Guy" <[email protected]> on 12/19/2001 08:39:44 PM > >Please respond to Mailing list for discussion of Firewall-1 > <[email protected]> > > > > > > > > > To: [email protected] > > cc: (bcc: Suriyanto Limah/AIN/ACI) > > > > Subject: Re: [FW-1] Cannot Compile > > > > > > > > > >Hi, > > Didn't you define something, like an object, that contains smtp > in it ? I had this once and found out there a number of reserved > words that you can't use. > > Just my 2 ??? cents > >Met vriendelijke groeten - Bien ? vous - Kind regards >Guy ROELANDTS >EMEA GS Internet Expertise Centre - CCSA & CCSE >Compaq Software Engineer - Belgium >E-mail : [email protected] >Tel: +32(02)729.77.44 (options 3 - 3 - 1) >Fax: +32(02)729.77.65 >========================================================== >This message may contain confidential and/or proprietary information, >and is intended only for the person/entity to whom it was originally >addressed. The content of this message may contain private views and >opinions which do not constitute a formal disclosure or commitment >unless specifically stated. Should you receive this message by mistake >please inform the sender immediately. >========================================================== > > >* -----Original Message----- >* From: Suriyanto Limah [mailto:[email protected]] >* Sent: 19 December 2001 11:18 >* To: [email protected] >* Subject: [FW-1] Cannot Compile >* >* >* Dear All, >* >* When we do a compile on the FW-1 after changing, we found the >* following >* error : >* >* Standard.W: Security Policy Script generated into Standard.pf >* Standard: >* "C:\WINNT\FW\conf\Standard.pf", line 584: ERROR: macro >* identifier <smtp> >* redefined >* "C:\WINNT\FW\conf\Standard.pf", line 629: ERROR: cannot >* expand macro <smtp> >* "C:\WINNT\FW\conf\Standard.pf", line 692: ERROR: cannot find >* <table_target_list9> anywhere >* Compilation Failed. >* >* What's wrong with this error? >* >* Thanks in advanced for any idea. >* >* best regards, >* Suriyanto >* >* ================================================= >* To set vacation, Out Of Office, or away messages, >* send an email to [email protected] >* in the BODY of the email add: >* set fw-1-mailinglist nomail >* ================================================= >* To unsubscribe from this mailing list, >* please see the instructions at >* http://www.checkpoint.com/services/mailing.html >* ================================================= >* If you have any questions on how to change your >* subscription options, email >* [email protected] >* ================================================= >* > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------
|