[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] big trouble with NG
Hope this helps. Solution: To allow non-Syn packets which do not have state information in the connections table to be matched against the Rule Base: On FireWall-1 NG HF2 (Hotfix-2) ======================== UNIX -------- 1. Stop the FireWall (fwstop) 2. Perform the following platform dependant command: Solaris: Add the following line to the /etc/system file set fw:fw_allow_out_of_state_tcp = 1 Linux: Add the following parameter to the $FWDIR/bin/fwstart script. The change should look like this: BEFORE - . . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . AFTER - . . . . insmod $smp_prefix -f $fwmod kver=$kver fw_allow_out_of_state_tcp = 1. . . . 3. Reboot the machine ! Windows NT / 2000 ----------------------------- 1. Add the following DWORD to the registry under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters A variable named AllowOutOfStateTCP should be added with a value of 1. 2. Reboot ! NOTE: If one wishes to just prevent these logs from getting into the Log Viewer proceed as follows: UNIX -------- 1. Stop the FireWall (fwstop) 2. Perform the following platform dependant command: Solaris: Add the following line to the /etc/system file set fw:fw_log_out_of_state_tcp = 0 Linux: Add the following parameter to the $FWDIR/bin/fwstart script. The change should look like this: BEFORE - . . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . AFTER - . . . . insmod $smp_prefix -f $fwmod kver=$kver fw_log_out_of_state_tcp = 0. . . . 3. Reboot the machine ! Windows NT / 2000 ----------------------------- 1. Add the following DWORD to the registry under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters A variable named DisableLogOutOfStateTCP should be added with a value of 1. 2. Reboot the machine ! --- Walter Nordmann <[email protected]> wrote: > hi everybody, > > > > i'm in really big trouble using fw1 ng > (base/hf1/hf2) > > > > my fw1 management station is connected to two > fw1-modules running stonebeat ha on solaris.. > > > > FW-M > > ! > > ! > > HUB > > / \ > > / \ > > / \ > > FW1----FW2 STONEBEAT-LINK > BETWEEN FW1 AND FW2 > > ! : > > ! : > > ! : > > ------------------------- > LAN > > ! > > ! > > FW-GUI-Client > > > > FW-M (Firewall management) is using fw1 and fw2 as > default-router. when FW1 is up and FW-M tries to > talk to FW2, FW2 should send a ICMP redirect which > says" please use fw1 as router". > > > > that's fine. > > > > but: this packet is dropped by the firewall on FW2 > > > > logentry: icmp-type 5 icmp-code 1 message_info > ICMP packet out of state > > rule: no entry, not even rule zero > > > > > > global properties: accept outgoing packet > origination from gateway is first > > > > it could be something like the old "unknown > established tcp packet" - problem, but the fix for > 4.1 does not work for ng, because there is no > > ALLOW_NON_SYN_RULEBASE_MATCH in fwui_head.def > > > > > > best regards > > > > walter nordmann, cards engineering, germany > > > __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|