From: "Chontzopoulos, Dimitris" <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Nimda Uri
Date: Tue, 12 Mar 2002 10:55:14 +0200
If the web servers in the DMZ have static legal ip address (not private
10.0.0.0, 172.16.0.0-172.32.0.0, 192.168.0.0) then you shouldn't have any
problems. But no matter what you must make sure that the Web Servers in the
DMZ can handle connections even if there are no HTTP-Resources and stuff
like that. Just make some rules permitting traffic to the WEB servers (do
not use URI) and try to see if it works. If it does work unload the policy
(unplug the cables from the Web servers before doing that), reload the
policy, delete the uri resources and the web servers objects, install the
policy, create the URI resources and the Web servers objects, create the
rules at the TOP of your rule base (1. Nimda block, 2. HTTP permit), and
install the policy again. If you say that the rules work in another FW with
clean install then i suspect it has something to do with the Network
Objects
(the Web servers objects). It is rather a strange case... What happens to
you now has happened to me 1 year ago. We tried to do the same things as
you
did and had the exact case you did (the same result). What did i do? I
reinstalled the FW from scratch (FW and M$ server). If you decide to
reinstall the FW and M$ server keep in mind that you should back up first
the "Conf" directory, so you will not have to create everything from
scratch
again... Give a try at the "No URI" thought and let me know. See ya.
-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Monday, March 11, 2002 7:39 PM
To: [email protected]
Subject: Re: [FW-1] Nimda Uri
Dimitris,
I'm wondering if I have to enable static NAT in order for it work, is this
the case ?
>From: "Chontzopoulos, Dimitris" <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Nimda Uri
>Date: Mon, 11 Mar 2002 10:19:42 +0200
>
>I have created the following:
>
>"General" Tab
>==========
>Name : Block-Exploits-Http
>Comment : Nimda-Sand-CodeRed
>Connection Methods : Transparent, Proxy
>Exception Track : Log
>URI Match Specification Type : Wild Cards
>
>"Match Tab"
>=========
>Schemes : http, ftp, gopher, mailto, news,
>wais, Other: *
>Methods : GET, POST, HEAD, PUT, Other: *
>Host : *
>Path :
>{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*
,
>*sample.exe*,*csrss.exe*,*httpodbc.dll*}
>Query : *
>
>"Action" Tab
>=========
>Replacement Unit :
>http://no.exploits.allowed.com (This way you send a redirect to the host
>trying to exploit you, so the connection he initiated does not time out
on
>your firewall. You send a redirection that doesn't exist, so the attacker
>times out while trying to resolve the non-existent domain)
>All others : none, blank
>
>The most important follows:
>1. The "Nimda HTTP-Resource" must be placed at the top of your rule
>base
>2. After the "Nimda HTTP-Resource" you should place all other
>"HTTP-Resources" you may want to use in order to block downloads,
>Web-Sites,
>etc
>3. After the other HTTP-Resources you may define you must create a
>rule
>that will accept all other "Legal" HTTP/FTP browsing etc
>
>Sample Configuration
>================
>No.1 Any Any http->
Block-Exploits-Http
>Drop Long Firewall
>No.2 Any DMZ_Web_Servers_Group Http, Https, Ftp
>Accept Long Firewall
>
>I am using the exact scenario in the company i am working for and it
works
>like a charm. If you define a Resource Droping traffice, you should also
>create a rule permiting the rest of the traffic. I had the same problem
as
>you did when i first something similar to yours. Don't forget to put the
>non-existent redirection. Please let me know either it works or not.
Thanx.
>
>-----Original Message-----
>From: Joe Bloggs [mailto:[email protected]]
>Sent: Sunday, March 10, 2002 12:23 PM
>To: [email protected]
>Subject: [FW-1] Nimda Uri
>
>
>We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal
IP's
>therefore FW is not doing any NAT. Problem is that if I enable the
>recommended rule to block nimda/code red ie create uri and add to
resource
>with rule any->any>http>nimda_uri, it blockes all access to the web
servers
>from internally and externally and the log does not show anything. Any
help
>appreciated.
>
>Our platform: Win2K SP2, FW-1 4.1 SP5
>
>_________________________________________________________________
>MSN Photos is the easiest way to share and print your photos:
>http://photos.msn.com/support/worldwide.aspx
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
