NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] big trouble with NG



Hope this helps.


Solution: To allow non-Syn packets which do not have
state information in the connections table to be
matched against the Rule Base:


On FireWall-1 NG HF2 (Hotfix-2)
========================


UNIX
--------
1. Stop the FireWall (fwstop)


2. Perform the following platform dependant command:


Solaris:


Add the following line to the /etc/system file
set fw:fw_allow_out_of_state_tcp = 1


Linux:


Add the following parameter to the $FWDIR/bin/fwstart
script. The change should look like this:


BEFORE -


. . . . insmod $smp_prefix -f $fwmod kver=$kver . . .
. .


AFTER -


. . . . insmod $smp_prefix -f $fwmod kver=$kver
fw_allow_out_of_state_tcp = 1. . . .


3. Reboot the machine !


Windows NT / 2000
-----------------------------
1. Add the following DWORD to the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters

A variable named AllowOutOfStateTCP should be added
with a value of 1.


2. Reboot !


NOTE: If one wishes to just prevent these logs from
getting into the Log Viewer proceed as follows:


UNIX
--------
1. Stop the FireWall (fwstop)


2. Perform the following platform dependant command:


Solaris:


Add the following line to the /etc/system file
set fw:fw_log_out_of_state_tcp = 0


Linux:


Add the following parameter to the $FWDIR/bin/fwstart
script. The change should look like this:


BEFORE -


. . . . insmod $smp_prefix -f $fwmod kver=$kver . . .
. .


AFTER -


. . . . insmod $smp_prefix -f $fwmod kver=$kver
fw_log_out_of_state_tcp = 0. . . .


3. Reboot the machine !


Windows NT / 2000
-----------------------------
1. Add the following DWORD to the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters

A variable named DisableLogOutOfStateTCP should be
added with a value of 1.


2. Reboot the machine !




--- Walter Nordmann <[email protected]> wrote:
> hi everybody,
>
>
>
> i'm in really big trouble using fw1 ng
> (base/hf1/hf2)
>
>
>
> my fw1 management station is connected to two
> fw1-modules running stonebeat ha on solaris..
>
>
>
>                             FW-M
>
>                               !
>
>                               !
>
>                              HUB
>
>                              / \
>
>                             /   \
>
>                            /     \
>
>                           FW1----FW2  STONEBEAT-LINK
> BETWEEN FW1 AND FW2
>
>                            !      :
>
>                            !      :
>
>                            !      :
>
>                          -------------------------
> LAN
>
>                                         !
>
>                                         !
>
>                                      FW-GUI-Client
>
>
>
> FW-M (Firewall management) is using fw1 and fw2 as
> default-router. when FW1 is up and FW-M tries to
> talk to FW2, FW2 should send a ICMP redirect which
> says" please use fw1 as router".
>
>
>
> that's fine.
>
>
>
> but: this packet is dropped by the firewall on FW2
>
>
>
> logentry:   icmp-type 5 icmp-code 1 message_info
> ICMP packet out of state
>
> rule:       no entry, not even rule zero
>
>
>
>
>
> global properties:  accept outgoing packet
> origination from gateway  is first
>
>
>
> it could be something like the old "unknown
> established tcp packet" - problem, but the fix for
> 4.1 does not work for ng, because there is no
>
> ALLOW_NON_SYN_RULEBASE_MATCH in fwui_head.def
>
>
>
>
>
> best regards
>
>
>
> walter nordmann, cards engineering, germany
>
>
>


__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.