[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Nimda rule (URI resource matching) makes file-uploading fail
Hi All, I just added the Nimda rule as below in FW-1 NG (WinNT sp6) ANY --- ANY --- http->Nimda_URI --- drop However, I can't successfully upload files to the web server in the DMZ from my browser outside DMZ as long as I enable this rule. (even I used {*.gif} for PATH.... this is incredible!!). The web server actually has one invalid IP and has NAT setting which maps its invalid IP to a valid external IP. Moreover, I did some experiments(change Source and Destination, try couple of combinations) and found that this rule causes the file-uploading problem only when we use "ANY" for source and/or destination. If we don't use "ANY" but just use it for network which doesn't has NAT, it won't cause file-uploading failures. ("ANY" always covers the network which has NAT for sure; in my case, "ANY" covers external IPs network which includes the web server NAT setting) Apparently, we can't use Nimda rule without using "ANY" since the only way to block inbound Nimda hack from Internet is using "ANY" as "Source". Does any of you know this bug regarding reousce URI matching? Is it related to NAT? ( it can't work properly with NAT. Certainly, this is just my guess) How can we work around this problem or fix it if I'd like to use Nimda rule in FW-1 NG? Best Regards, Jerry Chiuan Oridus, Inc. __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|