[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Nimda Uri
Title: RE: [FW-1] Nimda Uri
I can think of nothing else than the FW has got a little bit F***** up... When this happened to me i had to re-install the M$ AND the FW software. Good luck man...
-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Wednesday, March 13, 2002 11:56 AM
To: [email protected]
Subject: Re: [FW-1] Nimda Uri
Yes I am using Static legal IP's, and yes we can get to the servers with the
resource rule from internally and externally, It's only when I apply the
resource rule that all access is denied. I think I may need to re-install
the FW & MS software, I've got to do an NG upgrade anyway, therefore I might
do that at the same time. However I would like to know what the cause is
though ...
Thanks for your help.
>From: "Chontzopoulos, Dimitris" <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Nimda Uri
>Date: Tue, 12 Mar 2002 10:55:14 +0200
>
>If the web servers in the DMZ have static legal ip address (not private
>10.0.0.0, 172.16.0.0-172.32.0.0, 192.168.0.0) then you shouldn't have any
>problems. But no matter what you must make sure that the Web Servers in the
>DMZ can handle connections even if there are no HTTP-Resources and stuff
>like that. Just make some rules permitting traffic to the WEB servers (do
>not use URI) and try to see if it works. If it does work unload the policy
>(unplug the cables from the Web servers before doing that), reload the
>policy, delete the uri resources and the web servers objects, install the
>policy, create the URI resources and the Web servers objects, create the
>rules at the TOP of your rule base (1. Nimda block, 2. HTTP permit), and
>install the policy again. If you say that the rules work in another FW with
>clean install then i suspect it has something to do with the Network
>Objects
>(the Web servers objects). It is rather a strange case... What happens to
>you now has happened to me 1 year ago. We tried to do the same things as
>you
>did and had the exact case you did (the same result). What did i do? I
>reinstalled the FW from scratch (FW and M$ server). If you decide to
>reinstall the FW and M$ server keep in mind that you should back up first
>the "Conf" directory, so you will not have to create everything from
>scratch
>again... Give a try at the "No URI" thought and let me know. See ya.
>
>-----Original Message-----
>From: Joe Bloggs [mailto:[email protected]]
>Sent: Monday, March 11, 2002 7:39 PM
>To: [email protected]
>Subject: Re: [FW-1] Nimda Uri
>
>
>Dimitris,
>
>I'm wondering if I have to enable static NAT in order for it work, is this
>the case ?
>
>
> >From: "Chontzopoulos, Dimitris" <[email protected]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Nimda Uri
> >Date: Mon, 11 Mar 2002 10:19:42 +0200
> >
> >I have created the following:
> >
> >"General" Tab
> >==========
> >Name : Block-Exploits-Http
> >Comment : Nimda-Sand-CodeRed
> >Connection Methods : Transparent, Proxy
> >Exception Track : Log
> >URI Match Specification Type : Wild Cards
> >
> >"Match Tab"
> >=========
> >Schemes : http, ftp, gopher, mailto, news,
> >wais, Other: *
> >Methods : GET, POST, HEAD, PUT, Other: *
> >Host : *
> >Path :
> >{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*
>,
> >*sample.exe*,*csrss.exe*,*httpodbc.dll*}
> >Query : *
> >
> >"Action" Tab
> >=========
> >Replacement Unit :
> >http://no.exploits.allowed.com (This way you send a redirect to the host
> >trying to exploit you, so the connection he initiated does not time out
>on
> >your firewall. You send a redirection that doesn't exist, so the attacker
> >times out while trying to resolve the non-existent domain)
> >All others : none, blank
> >
> >The most important follows:
> >1. The "Nimda HTTP-Resource" must be placed at the top of your rule
> >base
> >2. After the "Nimda HTTP-Resource" you should place all other
> >"HTTP-Resources" you may want to use in order to block downloads,
> >Web-Sites,
> >etc
> >3. After the other HTTP-Resources you may define you must create a
> >rule
> >that will accept all other "Legal" HTTP/FTP browsing etc
> >
> >Sample Configuration
> >================
> >No.1 Any Any http->
>Block-Exploits-Http
> >Drop Long Firewall
> >No.2 Any DMZ_Web_Servers_Group Http, Https, Ftp
> >Accept Long Firewall
> >
> >I am using the exact scenario in the company i am working for and it
>works
> >like a charm. If you define a Resource Droping traffice, you should also
> >create a rule permiting the rest of the traffic. I had the same problem
>as
> >you did when i first something similar to yours. Don't forget to put the
> >non-existent redirection. Please let me know either it works or not.
>Thanx.
> >
> >-----Original Message-----
> >From: Joe Bloggs [mailto:[email protected]]
> >Sent: Sunday, March 10, 2002 12:23 PM
> >To: [email protected]
> >Subject: [FW-1] Nimda Uri
> >
> >
> >We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal
>IP's
> >therefore FW is not doing any NAT. Problem is that if I enable the
> >recommended rule to block nimda/code red ie create uri and add to
>resource
> >with rule any->any>http>nimda_uri, it blockes all access to the web
>servers
> >from internally and externally and the log does not show anything. Any
>help
> >appreciated.
> >
> >Our platform: Win2K SP2, FW-1 4.1 SP5
> >
> >_________________________________________________________________
> >MSN Photos is the easiest way to share and print your photos:
> >http://photos.msn.com/support/worldwide.aspx
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
>
>
>
>
>_________________________________________________________________
>Join the world's largest e-mail service with MSN Hotmail.
>http://www.hotmail.com
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
