[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] Strange ICMP drops

To: [email protected]
Subject: [FW-1] AW: [FW-1] Strange ICMP drops
From: Joerg Fritsch <[email protected]>
Date: Wed, 27 Feb 2002 11:37:40 +0100
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,

sometimes people write strange things into $SBHOME/etc/checklist. It is
worth a look, since people might have wanted the fw to swich when the NAT IP
of the internal server is not reachable by a designated filter module.

--Joerg


-----Urspr�ngliche Nachricht-----
Von: Bergs, Martin [mailto:[email protected]]
Gesendet: Mittwoch, 27. Februar 2002 10:29
An: [email protected]
Betreff: [FW-1] Strange ICMP drops


Hi all,

we use Check Point FW-1 both in Version 4.0 and 4.1. The 4.0 FWs are running
with StoneBeat as a Cluster and the FWs under 4.1 run as a StoneBeat
FullCluster.

On both FW Systems we have a lot of log entries like this

Action: drop
Service:        diverse port higher than 1023
Source: 255.255.255.255
Dest:           NAT IP of internal server
Proto:  ICMP
Rule:           0
S_Port: 769
Info:           reason: local interface address spoofing

As we investigate the traffic with a sniffer on the segment where cliennts
are located we can see packets with the following structure:
DLC Header:
Src:    MAC address StoneBeat IF
Dst:    MAC address of Router
IP Header:
Src:    255.255.255.255
Dst:    NAT IP of internal server
ICMP:
Src:    NAT IP of internal server
Dst:    IP of internal client workstation
Type:   3, Destination unreachable
Code:   1, Host unreachable

It look like the fw cluster is creating all these ICMP packet by itself,
because when we sniffer on the segment where the server is located, we can't
see any ICMP traffic with Type=3 and Code=1. Otherwise the routing is okay
and the server is reachable from the client side.

Many thanks to all who give me an explanation.

Yours Sincerely / Mit freundlichen Gruessen
Martin Bergs

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Strange ICMP drops
Next by Date: Re: [FW-1] Stonebeat vs CP HA
Prev by thread: [FW-1] Securemote advice
Next by thread: [FW-1] FW-1 NG licensing
Index(es):
- Date
- Thread