Ok
Dan,
I
think you have the right idea but our firewall doesn't seem to agree with
either of us. First though, you're correct that the real issue is
stopping the traffic and I will throw a project on the list to harden the
firewall's config.
In
the meantime, since major jiggling of the box will require consent
from 'management' (translation: undetermined amount of time before
approval) I decided to check your other ideas. There *is* an
implied rule to let the traffic out. But it doesn't explain our problem
(at least not completely) and here's why.
First, the implied "Accept outgoing packets" rule is set to 'last' in
the Policy Properties and it accordingly is the dead-last rule in the
rulebase. I put in an explicitly-defined rule well above it, at
position #1, as follows:
source=firewall object
dest=host object w/external broadcast address
traffic type=NBT (group that includes the traffic we're
seeing)
action="">
log=long
Somehow this traffic is bypassing my diagnostic rule #1, and getting
out of the firewall anyway. If it is going out via the implicit policy
we're discussing, it's bypassing the top explicit rule in the rulebase to do
it (and bypassing being logged in the process).
Second, it appears that on this particular version/service pack combo
for Firewall-1 there is no option in the policy properties to turn on logging
of implied rules. I know what you're referring to, I've seen it in
version 4.1, but I can't find it on the 4.0 box and the helpfile says the only
way to log implied rules is to handle the traffic in question with explicit
rules instead.
Basically I have two objectives. One is to fix the problem of NBT
coming out of our firewall, but the other is to determine why this firewall is
letting *any* traffic through in a manner which suggests that the rulebase is
being bypassed. What do you think?
Although there's a good chance that the traffic is passing
on rule 0 (allow outgoing packets originating from gateway (in
Policy->Properties) and you're not logging implied rules, the real issue
is making that traffic stop. The Workstation and Computer Browser
services, which are implicated in the generation of this traffic, really
should *not* run on any internet-connected system, firewall or
otherwise. Please see Lance Spitzner's excellent article on "armoring"
Windows NT (http://www.enteract.com/~lspitz/nt.html).
HTH
Dan Hitchcock
CCNP, CCSE,
MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at)
breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work
The information contained in this email message may be
privileged, confidential and protected from disclosure. If you are not
the intended recipient, any dissemination, distribution or copying is
strictly prohibited. If you think you have received this email message
in error, please email the sender at
[email protected]
-----Original Message-----
From:
Russell Washington [mailto:[email protected]]
Sent: Thursday, February 07, 2002 11:36 AM
To: [email protected]
Subject: [FW-1] NBT-happy 4.0SP8 FW-1 on NT
I have a Checkpoint firewall on my watch that is firing off
NBT traffic to
the broadcast address on its external
interface even though there is *no*
rule that we can
find that allows this traffic. The firewall is not using
its external IP in any hidden NAT rules, express or
implied, and in fact it
has no hidden NAT rules at
all.
Because the traffic (as best as we can tell) is not going
out under any
defined rules, we can't log it to
learn anything about how it is being
handled.
In short, we're completely out of ideas. We even went so far as
to set up rule #1 to *allow* NBT traffic and log it, and
nothing shows up in
the log even though other
devices are detecting the traffic emanating from
this box.
The box is running Firewall-1 4.0, SP8, on an NT 4.0 server
that is
up-to-date on its service packs. Any
suggestions?
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set
fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please
see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================