[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Rule 998; MS-RPC; Port 135
"COULOMBE, TROY" schrieb: > > FW: FW-1 4.1 sp2 > > I have a rule allowing host-A in my dmz _ANY_ communication with Any > network in my corp net. > I have a correlating rule allowing ANY network in my corp to _ANY_ > communication with the DMZ. > > so my rules read as such::: > > hst-a any any accept long > any hst-a any accept long > > hst-a is a win2K box that is trying to enumerate a domain [among other > things]. It is failing on "rule 998" > Now, I don't have 998 rules [59 to be exact] I am not NATing or such. > > A look of the traffic [w/ a sniffer] and all I see is the initial SYN packet > with a dest port of 135. The packet doesn't look malformed [hey it's only > the SYN packet].... > The firewall accepts it on SBIF0, but then rejects it on the way out the > door on SBIF1. So my analysis is that it makes it through the FW's IP > stack on SBIF0, get's routed, then fails on the Outbound stack on SBIF1. > > But why? > > And I've sniffed the ether on SBIF1 to make sure it wasn't the host-B that > sent back a RST. It's the FW. > > Thoughts? > > I've scoured Google & Phoneboy with no luck. Google came back with one hit, > but no one answered the thread...just that it sounded like he had something > similar to what I have... > > Many thanks > TroyC Hi TroyC, sorry can't help, but some information - same problem. I posted my answer on 18 Feb (see below ). > The 997 is found in <Checkpoint>/lib/dcerpc.def (included in base.def) same file - look for 998. > >#define dcerpc_reject_alterc >... >or /* ALTER CONTEXT to unknown interface! Reject. >*/ >(delete <conn> from connections, set sr1 997, log long, reject) >###> this is the rejected rule number >dcerpc uses port 135, also Microsoft DCE locator service loc-srv/epmap - >dcom > >I didn't really know what was happening. Are there any differences >between checkpoints dcerpc and microsofts implementation of dcerpc ? i'm still looking for an answer, no GURUS around ? - bernd >>"Kinsey, Brian A." schrieb: >> >> I have some rejects showing up in my log viewer on rule 997. This is quite >> interesting to me as we don't have nearly that many rules in our rulebase. >> >> I found some info on phoneboy and Checkpoint's KB on rule 998 rejects, but >> nothing on 997. The 998 rejects there all had something to do with Exchange, >> but the machines that are showing up in my log are not any kind of mail >> servers. >> >> I have noticed this from a web server in one DMZ to a database server in >> another DMZ as well as from External DNS servers in a DMZ and Internet IP >> addresses. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|