NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Nimda Uri



Title: RE: [FW-1] Nimda Uri

You didn't mention anything about ndb_open error or fwauthd.conf.... I am glad you have overcomed your problem. See ya around.

-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Wednesday, March 13, 2002 7:08 PM
To: [email protected]
Subject: Re: [FW-1] Nimda Uri


Found the problem !!
The file $FWDIR/fwauthd.conf was missing, however according to phoneboy you
need to delete that file when you get ndb_open error when installing the
policy. This file contains the port numbers and timeouts for common tcp
ports.



>From: "Chontzopoulos, Dimitris" <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Nimda Uri
>Date: Wed, 13 Mar 2002 14:51:28 +0200
>
>I can think of nothing else than the FW has got a little bit F***** up...
>When this happened to me i had to re-install the M$  AND the FW software.
>Good luck man...
>
>-----Original Message-----
>From: Joe Bloggs [mailto:[email protected]]
>Sent: Wednesday, March 13, 2002 11:56 AM
>To: [email protected]
>Subject: Re: [FW-1] Nimda Uri
>
>
>Yes I am using Static legal IP's, and yes we can get to the servers with
>the
>resource rule from internally and externally, It's only when I apply the
>resource rule that all access is denied. I think I may need to re-install
>the FW & MS software, I've got to do an NG upgrade anyway, therefore I
>might
>do that at the same time. However I would like to know what the cause is
>though ...
>
>Thanks for your help.
>
>
> >From: "Chontzopoulos, Dimitris" <[email protected]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Nimda Uri
> >Date: Tue, 12 Mar 2002 10:55:14 +0200
> >
> >If the web servers in the DMZ have static legal ip address (not private
> >10.0.0.0, 172.16.0.0-172.32.0.0, 192.168.0.0) then you shouldn't have any
> >problems. But no matter what you must make sure that the Web Servers in
>the
> >DMZ can handle connections even if there are no HTTP-Resources and stuff
> >like that. Just make some rules permitting traffic to the WEB servers (do
> >not use URI) and try to see if it works. If it does work unload the
>policy
> >(unplug the cables from the Web servers before doing that), reload the
> >policy, delete the uri resources and the web servers objects, install the
> >policy, create the URI resources and the Web servers objects, create the
> >rules at the TOP of your rule base (1. Nimda block, 2. HTTP permit), and
> >install the policy again. If you say that the rules work in another FW
>with
> >clean install then i suspect it has something to do with the Network
> >Objects
> >(the Web servers objects). It is rather a strange case... What happens to
> >you now has happened to me 1 year ago. We tried to do the same things as
> >you
> >did and had the exact case you did (the same result). What did i do? I
> >reinstalled the FW from scratch (FW and M$ server). If you decide to
> >reinstall the FW and M$ server keep in mind that you should back up first
> >the "Conf" directory, so you will not have to create everything from
> >scratch
> >again... Give a try at the "No URI" thought and let me know. See ya.
> >
> >-----Original Message-----
> >From: Joe Bloggs [mailto:[email protected]]
> >Sent: Monday, March 11, 2002 7:39 PM
> >To: [email protected]
> >Subject: Re: [FW-1] Nimda Uri
> >
> >
> >Dimitris,
> >
> >I'm wondering if I have to enable static NAT in order for it work, is
>this
> >the case ?
> >
> >
> > >From: "Chontzopoulos, Dimitris" <[email protected]>
> > >Reply-To: Mailing list for discussion of Firewall-1
> > ><[email protected]>
> > >To: [email protected]
> > >Subject: Re: [FW-1] Nimda Uri
> > >Date: Mon, 11 Mar 2002 10:19:42 +0200
> > >
> > >I have created the following:
> > >
> > >"General" Tab
> > >==========
> > >Name                                    :       Block-Exploits-Http
> > >Comment                         :       Nimda-Sand-CodeRed
> > >Connection Methods                      :       Transparent, Proxy
> > >Exception Track                 :       Log
> > >URI Match Specification Type    :       Wild Cards
> > >
> > >"Match Tab"
> > >=========
> > >Schemes                         :       http, ftp, gopher, mailto,
>news,
> > >wais, Other: *
> > >Methods                         :       GET, POST, HEAD, PUT, Other: *
> > >Host                                    :       *
> > >Path                                    :
> >
> >{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*
> >,
> > >*sample.exe*,*csrss.exe*,*httpodbc.dll*}
> > >Query                                   :       *
> > >
> > >"Action" Tab
> > >=========
> > >Replacement Unit                        :
> > >http://no.exploits.allowed.com (This way you send a redirect to the
>host
> > >trying to exploit you, so the connection he initiated does not time out
> >on
> > >your firewall. You send a redirection that doesn't exist, so the
>attacker
> > >times out while trying to resolve the non-existent domain)
> > >All others                              :       none, blank
> > >
> > >The most important follows:
> > >1.      The "Nimda HTTP-Resource" must be placed at the top of your
>rule
> > >base
> > >2.      After the "Nimda HTTP-Resource" you should place all other
> > >"HTTP-Resources" you may want to use in order to block downloads,
> > >Web-Sites,
> > >etc
> > >3.      After the other HTTP-Resources you may define you must create a
> > >rule
> > >that will accept all other "Legal" HTTP/FTP browsing etc
> > >
> > >Sample Configuration
> > >================
> > >No.1    Any     Any                             http->
> >Block-Exploits-Http
> > >Drop            Long    Firewall
> > >No.2    Any     DMZ_Web_Servers_Group   Http, Https, Ftp
> > >Accept          Long    Firewall
> > >
> > >I am using the exact scenario in the company i am working for and it
> >works
> > >like a charm. If you define a Resource Droping traffice, you should
>also
> > >create a rule permiting the rest of the traffic. I had the same problem
> >as
> > >you did when i first something similar to yours. Don't forget to put
>the
> > >non-existent redirection. Please let me know either it works or not.
> >Thanx.
> > >
> > >-----Original Message-----
> > >From: Joe Bloggs [mailto:[email protected]]
> > >Sent: Sunday, March 10, 2002 12:23 PM
> > >To: [email protected]
> > >Subject: [FW-1] Nimda Uri
> > >
> > >
> > >We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal
> >IP's
> > >therefore FW is not doing any NAT. Problem is that if I enable the
> > >recommended rule to block nimda/code red ie create uri and add to
> >resource
> > >with rule any->any>http>nimda_uri, it blockes all access to the web
> >servers
> > >from internally and externally and the log does not show anything. Any
> >help
> > >appreciated.
> > >
> > >Our platform: Win2K SP2, FW-1 4.1 SP5
> > >



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.