NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Non-SYN problems with NG FP2 / Will CP support for Non-SYN in the future?



NG does allow this.  I am not sure about 4.1.  The only thing I can find in
the older revs deals with "Fast Mode" and that only supports what you are
asking in specific situations.

- Close all VPN-1/FireWall-1 NG GUI clients
- Backup the original FWDIR/conf/objects_5_0.C
.
1. From command line run dbedit (dbedit -h for help)
2. Enter resolvable hostname or IP of management server.
3. Enter username and password.
4. Enter command:

     modify properties firewall_properties fw_allow_out_of_state_tcp 1

5. To Save

     update properties firewall_properties

6. To exit dbedit issue command 'quit'. This will also save any changes
made.
7. Open the Policy editor and install the policy.

DOWNSIDE -- !!!My Disclaimer First!!!  I could be wrong about some of the
things I wrote here, so if any of these issues concern you, verify them with
the vendor and any support you have -- not to mention any responses drawn
from this email on this list!!!  This will supposedly let you apply policy
to ALL the rules without checking the SYN flag.  I do not think you can do
it on a rule-by-rule basis.  This can be very dangerous.  If you are getting
packets from anywhere which you do not consider fully trustworthy in even
one of the rules (and even from places you do trust if you are properly
paranoid) you can potentially allow dangerous packets and scans through your
firewall.  Many times, people will send packet scans with all kinds of flag
combinations set to determine what type of machines and OS are running as
well as what types of service they are running.  This type of packet would
not normally make it through a "stateful" firewall and therefore would not
elicit a response from your devices because the normal connection set-up was
not seen by the firewall.  There are also various DOS attacks which take
advantage of abnormal TCP flags.  Even worse, there are plenty of attacks
which can be hidden in fragmented packets (which have no TCP header info at
all) that would probably get through the firewall as a result of this
option.  NOTE!!!  Once they know your machines, their OS, and the services
running it is usually a trivial task to find the right exploit to compromise
a machine.

----- Original Message -----
From: "Reed Mohn, Anders" <[email protected]>
To: <[email protected]>
Sent: Tuesday, April 30, 2002 4:12 AM
Subject: Re: [FW-1] Non-SYN problems with NG FP2 / Will CP support for
Non-SYN in the future?


> > As I said, non-SYN passing use to be the default behavior but
> > led to DoS
> > problems.
>
> <out-of-my-league-warning>
>
> Would it be possible to implement an "Accept Non-SYN packets"-
> setting on specific rules, or have a separate ruleset for this
> kind of situation?
> Would it be possible for CP to include such behaviour in the
> FW? What would be the be dangerous side-effects of that?
>
> Cheers,
> Anders :)
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.