[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Cannot Compile
Hi Yves,
Actually this is the real problem we are facing now. I have tried to do
what you advised to :
First: Name: SMTP-Reject_dest
Comment: Reject common redirection characters
Exception Track: Log
Notify Sender On Error
Match Recipient: *{*%*,*!*}*
Strip MIME of type:
Don't Accept Mail Larger Than 999999 KB
CVP Server Anti_Virus
CVP Read/Write
Allowed Chars: 8-bit
When we typed *{*%*,*!*}* in the Match Recipient we found "invalid match or
... something like that".
Then I let it blank. For the second resource we have no problem defining
them.
When we installed (compiled) the new rules. The following error occured :
Standard.W: Security Policy Script generated into Standard.pf
Standard:
"C:\WINNT\FW\conf\Standard.pf", line 584: ERROR: macro identifier <smtp>
redefined
"C:\WINNT\FW\conf\Standard.pf", line 629: ERROR: cannot expand macro <smtp>
"C:\WINNT\FW\conf\Standard.pf", line 692: ERROR: cannot find
<table_target_list9> anywhere
Compilation Failed.
Finally we tried to remove the two rules and reinstalled again. Now there
is no error found, but there is no transaction found in
the log viewer like normally. Most of the fields have no contents at all
(before I found this error, the log can record any transaction thru the
firewall).
I am rather worried and don't know whether this FW is working properly or
not.
After that we tried to create another simple resource & rule like :
>I have created a resource :
>
> Name: AntiSpamming
> Exception Track: None
> Match Sender: {*@vhost.*}
> Don't Accept Mail Larger Than 1000 KB
> CVP (no server installed)
> CVP None
> Allowed Chars: 8-bit
>
>With the two following roule:
>
>Source Destination Service Action Install on
>any SMTP smtp->SMTP-AntiSpamming Reject OurFW
Same error found when installed the rule. These are the complete history of
our mails.
Perhaps related question with this mail :
We use Check Point FireWall-1 version 4.0 running on NT4.0
To deploy CVP in the FW-1, do we need another software besides the FW-1?
Thank you very much for sharing your idea.
Best regards,
Suriyanto
Yves Belle-Isle <[email protected]> on 11/29/2001 09:10:30 PM
Please respond to Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
cc: (bcc: Suriyanto Limah/AIN/ACI)
Subject: Re: [FW-1] Smtp Resource FW-1 NG
First you have to block SMTP relaying on the Notes Box and
if you use a SMTP Security server (Like for CVP) you need
to block those on the FW-1 in a SMTP Security ressource too
because by default the FW-1 SMTP Security server is wide
open to SMTP relaying. I have a SMTP/POP3 post.office server
running on a box, before i install a FW-1 in front of it it
was fully closed to unwanted SMTP relaying by ising rules
in the post.office SMTP relay. When we put the FW-1 in front
of it, it was fine too, but as soon as i added a SMTP Security
server in a ressource to use CVP (for virus checking) it
became wide open to SMTP relaying until i change my SMTP
Security ressources to:
First: Name: SMTP-Reject_dest
Comment: Reject common redirection characters
Exception Track: Log
Notify Sender On Error
Match Recipient: *{*%*,*!*}*
Strip MIME of type:
Don't Accept Mail Larger Than 999999 KB
CVP Server Anti_Virus
CVP Read/Write
Allowed Chars: 8-bit
Second: Name: SMTP-RCV
Comment: Receive email for our domains
Exception Track: Log
Notify Sender On Error
Match Recipient: {*@ourdomain_1.com,...,*@ourdomain_N.com}
Strip MIME of type:
Don't Accept Mail Larger Than 999999 KB
CVP Server Anti_Virus
CVP Read/Write
Allowed Chars: 8-bit
With the two following roules:
Source Destination Service Action Track Comment
any our_SMTP_Server smtp -> SMTP-Reject_dest Reject Long EMAIL with
redirect characters
any our_SMTP_Server smtp -> SMTP-RCV Accept Long EMAIL for our
domains
All other incoming traffic is dropped by the catch all rule.
If we put only the second rule with nothing in the Match Recepient,
anyone can do SMTP relay thru our FW-1 Security server !
At 14:13 2001-11-29 +0700, Suriyanto Limah wrote:
>So far we have setup the Notes Box so any relay will be rejected
>automatically.
>But this attack still make the server very busy...
>
>Do you have any another idea to solve this.
>
>Thanks
>Suriyanto
>
>
>Rocky Stefano <[email protected]> on 11/29/2001 11:03:15 AM
>
>Please respond to Mailing list for discussion of Firewall-1
> <[email protected]>
>
>
> To: [email protected]
>
> cc: (bcc: Suriyanto Limah/AIN/ACI)
>
> Subject: Re: [FW-1] Smtp Resource FW-1 NG
>
>Don't use Checkpoint to fix the crap your notes server won't do. Fix the
>relay on your notes box
>
>----- Original Message -----
>From: "Suriyanto Limah" <[email protected]>
>To: <[email protected]>
>Sent: Wednesday, November 28, 2001 8:51 PM
>Subject: Re: [FW-1] Smtp Resource FW-1 NG
>
>
>> Hi Matt,
>>
>> We have the same problem with you. Now our Notes SMTP used by outsider
as
>> relay.
>> Could you please tell me how to configure a rule to stop this action?
>>
>> I use Check Point FW-1 version 4.0.
>>
>> Thanks
>> Suriyanto
>>
>>
>> Matthew Hale <[email protected]> on 11/29/2001 06:33:28 AM
>>
>> Please respond to Mailing list for discussion of Firewall-1
>> <[email protected]>
>>
>>
>> To: [email protected]
>>
>> cc: (bcc: Suriyanto Limah/AIN/ACI)
>>
>>
>> Subject: [FW-1] Smtp Resource FW-1 NG
>>
>>
>> Hi,
>>
>> I have a Checkpoint FW-1 NG firewall configured with a rule which uses
>> an smtp resource to stop people using my machines as a relay, i have
>> configured the resource to allow mails up to 100000kb. Heres the
>>
>> problem:- when i send a samll mail say less than 1mb the mail is
>> transfered to the mail server ok, When i send a mail (from an external
>> mail account) with an attachment say 2mb it bounces back to me saying
>> 'to much data'. I used Checkpoint FW-1 4.1 for 2 years with this very
>> same rule and had no problems. Has anyone seen this problem with NG? i
>> did a fresh install of NG on a compaq server running Redhat 7.
>>
>> Thanks
>>
>> Matt
>>
------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected]
Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
Yves Belle-Isle <[email protected]> on 12/20/2001 10:42:42 PM
Please respond to Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
cc: (bcc: Suriyanto Limah/AIN/ACI)
Subject: Re: [FW-1] Cannot Compile
In a security server, use Reject or Drop in a rule, both generate a Reject
in
the log, because the firewall can't drop the SMTP connection request it has
to
accept it, open it, and read it before it can decide if it accept or reject
it based on the email address and mime types used in the email. So the
real action can't be drop. For an analogy, how can you know who for sure
who is calling you without answering the call (yourself or your answering
machine) even if you have caller id ? You can't, you have to first answer
it to hear the other person and identify it.
So as soon as a packet as to pass in a security server rule, even if it
is dropped in a normal rule (maybe the catch all one) iin fact it will
be rejected as you can verify in the action field of your log file.
Then *{*@vhost
²}* mean:
is anything followed by anything followed by any of:
anything followed by @vhost followed by anything
followed by anything
While {*@vhost²} mean
is any of:
anything followed by @vhost followed by anything
which are the same...
As i missed the inital email i don't know what is the problem but i
am not sure this is not the solution, sorry...
Can i have the original email again ?
At 10:59 2001-12-20 +0200, Chontzopoulos, Dimitris wrote:
>For starters, the "Action" shouldn't be "Reject". The "Action" on
resources
>should always be "Drop".
>IMHO the "Match Sender" should be "*{*@vhost*}*". I may be wrong though...
>
>-----Original Message-----
>From: Suriyanto Limah [mailto:[email protected]]
>Sent: Thursday, December 20, 2001 4:46 AM
>To: [email protected]
>Subject: Re: [FW-1] Cannot Compile
>
>
>Hi..
>
>I have created a resource :
>
> Name: AntiSpamming
> Exception Track: None
> Match Sender: {*@vhost.*}
> Don't Accept Mail Larger Than 1000 KB
> CVP (no server installed)
> CVP None
> Allowed Chars: 8-bit
>
>With the two following roule:
>
>Source Destination Service Action Install on
>any SMTP smtp->SMTP-AntiSpamming Reject OurFW
>
>
>
>regards,
>Suriyanto
>
>
>
>
>
>
>
>
>"Roelandts, Guy" <[email protected]> on 12/19/2001 08:39:44 PM
>
>Please respond to Mailing list for discussion of Firewall-1
> <[email protected]>
>
>
>
>
>
>
>
>
> To: [email protected]
>
> cc: (bcc: Suriyanto Limah/AIN/ACI)
>
>
>
> Subject: Re: [FW-1] Cannot Compile
>
>
>
>
>
>
>
>
>
>Hi,
>
> Didn't you define something, like an object, that contains smtp
> in it ? I had this once and found out there a number of reserved
> words that you can't use.
>
> Just my 2 ??? cents
>
>Met vriendelijke groeten - Bien ? vous - Kind regards
>Guy ROELANDTS
>EMEA GS Internet Expertise Centre - CCSA & CCSE
>Compaq Software Engineer - Belgium
>E-mail : [email protected]
>Tel: +32(02)729.77.44 (options 3 - 3 - 1)
>Fax: +32(02)729.77.65
>==========================================================
>This message may contain confidential and/or proprietary information,
>and is intended only for the person/entity to whom it was originally
>addressed. The content of this message may contain private views and
>opinions which do not constitute a formal disclosure or commitment
>unless specifically stated. Should you receive this message by mistake
>please inform the sender immediately.
>==========================================================
>
>
>* -----Original Message-----
>* From: Suriyanto Limah [mailto:[email protected]]
>* Sent: 19 December 2001 11:18
>* To: [email protected]
>* Subject: [FW-1] Cannot Compile
>*
>*
>* Dear All,
>*
>* When we do a compile on the FW-1 after changing, we found the
>* following
>* error :
>*
>* Standard.W: Security Policy Script generated into Standard.pf
>* Standard:
>* "C:\WINNT\FW\conf\Standard.pf", line 584: ERROR: macro
>* identifier <smtp>
>* redefined
>* "C:\WINNT\FW\conf\Standard.pf", line 629: ERROR: cannot
>* expand macro <smtp>
>* "C:\WINNT\FW\conf\Standard.pf", line 692: ERROR: cannot find
>* <table_target_list9> anywhere
>* Compilation Failed.
>*
>* What's wrong with this error?
>*
>* Thanks in advanced for any idea.
>*
>* best regards,
>* Suriyanto
>*
>* =================================================
>* To set vacation, Out Of Office, or away messages,
>* send an email to [email protected]
>* in the BODY of the email add:
>* set fw-1-mailinglist nomail
>* =================================================
>* To unsubscribe from this mailing list,
>* please see the instructions at
>* http://www.checkpoint.com/services/mailing.html
>* =================================================
>* If you have any questions on how to change your
>* subscription options, email
>* [email protected]
>* =================================================
>*
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected]
Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------
