[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NBT-happy 4.0SP8 FW-1 on NT
Title: RE: [FW-1] NBT-happy 4.0SP8 FW-1 on NT Guys,
The
prize goes to Andrew Jones. Sure enough, the firewall was set to inbound
rather than outbound or eitherbound, and this is what differentiates it from the
other firewalls I have that are actually paying attention to what I want (ha
ha). I dug out some of our old Checkpoint training material and it
explains the inbound/outbound/eitherbound selection *much* better than the
online help, and it clearly explains why the outgoing (from the firewall, not a
behind-the-firewall device) NBT traffic-- in fact, ALL outgoing traffic-- is not
being subjected to the rule base.
Needless to say I'll be fixing this little
configuration problem.
So
Guy, yes, the rule matched, just wasn't being applied to from-firewall packets
due to the Policy Properties setup. Anders: As soon as I
can I'm going to make the implicit rules go away. Andrew: You can't
lurk anymore, you're an FW-1 expert now :)
Thanks
a bunch guys.
-Russ
Ok
Dan,
I
think you have the right idea but our firewall doesn't seem to agree with
either of us. First though, you're correct that the real issue is
stopping the traffic and I will throw a project on the list to harden the
firewall's config.
In
the meantime, since major jiggling of the box will require consent
from 'management' (translation: undetermined amount of time before
approval) I decided to check your other ideas. There *is* an
implied rule to let the traffic out. But it doesn't explain our
problem (at least not completely) and here's why.
First, the implied "Accept outgoing packets" rule is set to 'last' in
the Policy Properties and it accordingly is the dead-last rule in the
rulebase. I put in an explicitly-defined rule well above it, at
position #1, as follows:
source=firewall object
dest=host object w/external broadcast address
traffic type=NBT (group that includes the traffic we're
seeing)
action="">
log=long
Somehow this traffic is bypassing my diagnostic rule #1, and getting
out of the firewall anyway. If it is going out via the implicit policy
we're discussing, it's bypassing the top explicit rule in the rulebase to do
it (and bypassing being logged in the process).
Second, it appears that on this particular version/service pack combo
for Firewall-1 there is no option in the policy properties to turn on
logging of implied rules. I know what you're referring to, I've seen
it in version 4.1, but I can't find it on the 4.0 box and the helpfile says
the only way to log implied rules is to handle the traffic in question with
explicit rules instead.
Basically I have two objectives. One is to fix the problem of
NBT coming out of our firewall, but the other is to determine why this
firewall is letting *any* traffic through in a manner which suggests that
the rulebase is being bypassed. What do you think?
|