Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Rule 998; MS-RPC; Port 135

To: [email protected]
Subject: Re: [FW-1] Rule 998; MS-RPC; Port 135
From: "COULOMBE, TROY" <[email protected]>
Date: Thu, 14 Mar 2002 08:19:26 -0800
Comments: cc: "[email protected]" <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

We got it figured out [sorta].... :-)

Our FW Design guru had mentioned it in one of our meetings, and everyone in
support said, "Nah, shouldn't matter"...hehehehe

Checkpoint had advised to go to sp4.  sp4 didn't fix it. :-<

What did fix it was moving these "host any any" rules way up on the list [on
sp2 at that!]...As recommended by our design guy

The crazy part is that these two rules are the only rules that these
particular hosts are in...

so while it "shouldn't have mattered" where on the list they were, IT DID!

Good luck & thanks for answering :-)
TroyC

-----Original Message-----
From: Bernd Zimmermann [mailto:[email protected]]
Sent: Wednesday, March 13, 2002 2:10 AM
To: [email protected]
Subject: Re: [FW-1] Rule 998; MS-RPC; Port 135


"COULOMBE, TROY" schrieb:
>
> FW: FW-1 4.1 sp2
>
> I have a rule allowing host-A in my dmz  _ANY_ communication with Any
> network in my corp net.
> I have a correlating rule allowing ANY network in my corp to  _ANY_
> communication with the DMZ.
>
> so my rules read as such:::
>
> hst-a   any     any     accept  long
> any     hst-a   any     accept  long
>
> hst-a is a win2K box that is trying to enumerate a domain [among other
> things].  It is failing on "rule 998"
> Now, I don't have 998 rules [59  to be exact]  I am not NATing or such.
>
> A look of the traffic [w/ a sniffer] and all I see is the initial SYN
packet
> with a dest port of 135.  The packet doesn't look malformed [hey it's only
> the SYN packet]....
> The firewall accepts it on SBIF0, but then rejects it on the way out the
> door on SBIF1.   So my analysis is that it makes it through the FW's IP
> stack on SBIF0, get's routed, then fails on the Outbound stack on SBIF1.
>
> But why?
>
> And I've sniffed the ether on SBIF1 to make sure it wasn't the host-B that
> sent back a RST.  It's the FW.
>
> Thoughts?
>
> I've scoured Google & Phoneboy with no luck.  Google came back with one
hit,
> but no one answered the thread...just that it sounded like he had
something
> similar to what I have...
>
> Many thanks
> TroyC

Hi TroyC,

sorry can't help, but some information - same problem.
I posted my answer on 18 Feb (see below ).


> The 997 is found in <Checkpoint>/lib/dcerpc.def   (included in base.def)
same file - look for 998.
>
>#define dcerpc_reject_alterc
>...
>or              /* ALTER CONTEXT to unknown interface! Reject.
>*/
>(delete <conn> from connections, set sr1 997, log long, reject)

>###> this is the rejected rule number

>dcerpc uses port 135, also Microsoft DCE locator service loc-srv/epmap -
>dcom
>
>I didn't really know what was happening. Are there any differences
>between checkpoints dcerpc and microsofts implementation of dcerpc ?

i'm still looking for an answer,
no GURUS around ?

- bernd

>>"Kinsey, Brian A." schrieb:
>>
>> I have some rejects showing up in my log viewer on rule 997. This is
quite
>> interesting to me as we don't have nearly that many rules in our
rulebase.
>>
>> I found some info on phoneboy and Checkpoint's KB on rule 998 rejects,
but
>> nothing on 997. The 998 rejects there all had something to do with
Exchange,
>> but the machines that are showing up in my log are not any kind of mail
>> servers.
>>
>> I have noticed this from a web server in one DMZ to a database server in
>> another DMZ as well as from External DNS servers in a DMZ and Internet IP
>> addresses.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] How to change NT FW-1 IP address due ISP move
Next by Date: Re: [FW-1] Does anyone know how to block Kazaa, Morpheus and all these paras ites on a FW-1 ?
Previous by thread: Re: [FW-1] Rule 998; MS-RPC; Port 135
Next by thread: [FW-1] Content - Encoding type not allowed
Index(es):
- Date
- Thread