[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Rule 998; MS-RPC; Port 135
We got it figured out [sorta].... :-) Our FW Design guru had mentioned it in one of our meetings, and everyone in support said, "Nah, shouldn't matter"...hehehehe Checkpoint had advised to go to sp4. sp4 didn't fix it. :-< What did fix it was moving these "host any any" rules way up on the list [on sp2 at that!]...As recommended by our design guy The crazy part is that these two rules are the only rules that these particular hosts are in... so while it "shouldn't have mattered" where on the list they were, IT DID! Good luck & thanks for answering :-) TroyC -----Original Message----- From: Bernd Zimmermann [mailto:[email protected]] Sent: Wednesday, March 13, 2002 2:10 AM To: [email protected] Subject: Re: [FW-1] Rule 998; MS-RPC; Port 135 "COULOMBE, TROY" schrieb: > > FW: FW-1 4.1 sp2 > > I have a rule allowing host-A in my dmz _ANY_ communication with Any > network in my corp net. > I have a correlating rule allowing ANY network in my corp to _ANY_ > communication with the DMZ. > > so my rules read as such::: > > hst-a any any accept long > any hst-a any accept long > > hst-a is a win2K box that is trying to enumerate a domain [among other > things]. It is failing on "rule 998" > Now, I don't have 998 rules [59 to be exact] I am not NATing or such. > > A look of the traffic [w/ a sniffer] and all I see is the initial SYN packet > with a dest port of 135. The packet doesn't look malformed [hey it's only > the SYN packet].... > The firewall accepts it on SBIF0, but then rejects it on the way out the > door on SBIF1. So my analysis is that it makes it through the FW's IP > stack on SBIF0, get's routed, then fails on the Outbound stack on SBIF1. > > But why? > > And I've sniffed the ether on SBIF1 to make sure it wasn't the host-B that > sent back a RST. It's the FW. > > Thoughts? > > I've scoured Google & Phoneboy with no luck. Google came back with one hit, > but no one answered the thread...just that it sounded like he had something > similar to what I have... > > Many thanks > TroyC Hi TroyC, sorry can't help, but some information - same problem. I posted my answer on 18 Feb (see below ). > The 997 is found in <Checkpoint>/lib/dcerpc.def (included in base.def) same file - look for 998. > >#define dcerpc_reject_alterc >... >or /* ALTER CONTEXT to unknown interface! Reject. >*/ >(delete <conn> from connections, set sr1 997, log long, reject) >###> this is the rejected rule number >dcerpc uses port 135, also Microsoft DCE locator service loc-srv/epmap - >dcom > >I didn't really know what was happening. Are there any differences >between checkpoints dcerpc and microsofts implementation of dcerpc ? i'm still looking for an answer, no GURUS around ? - bernd >>"Kinsey, Brian A." schrieb: >> >> I have some rejects showing up in my log viewer on rule 997. This is quite >> interesting to me as we don't have nearly that many rules in our rulebase. >> >> I found some info on phoneboy and Checkpoint's KB on rule 998 rejects, but >> nothing on 997. The 998 rejects there all had something to do with Exchange, >> but the machines that are showing up in my log are not any kind of mail >> servers. >> >> I have noticed this from a web server in one DMZ to a database server in >> another DMZ as well as from External DNS servers in a DMZ and Internet IP >> addresses. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|