[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Non-SYN problems with NG FP2 / Will CP support for Non-SYN in the future?
NG does allow this. I am not sure about 4.1. The only thing I can find in the older revs deals with "Fast Mode" and that only supports what you are asking in specific situations. - Close all VPN-1/FireWall-1 NG GUI clients - Backup the original FWDIR/conf/objects_5_0.C . 1. From command line run dbedit (dbedit -h for help) 2. Enter resolvable hostname or IP of management server. 3. Enter username and password. 4. Enter command: modify properties firewall_properties fw_allow_out_of_state_tcp 1 5. To Save update properties firewall_properties 6. To exit dbedit issue command 'quit'. This will also save any changes made. 7. Open the Policy editor and install the policy. DOWNSIDE -- !!!My Disclaimer First!!! I could be wrong about some of the things I wrote here, so if any of these issues concern you, verify them with the vendor and any support you have -- not to mention any responses drawn from this email on this list!!! This will supposedly let you apply policy to ALL the rules without checking the SYN flag. I do not think you can do it on a rule-by-rule basis. This can be very dangerous. If you are getting packets from anywhere which you do not consider fully trustworthy in even one of the rules (and even from places you do trust if you are properly paranoid) you can potentially allow dangerous packets and scans through your firewall. Many times, people will send packet scans with all kinds of flag combinations set to determine what type of machines and OS are running as well as what types of service they are running. This type of packet would not normally make it through a "stateful" firewall and therefore would not elicit a response from your devices because the normal connection set-up was not seen by the firewall. There are also various DOS attacks which take advantage of abnormal TCP flags. Even worse, there are plenty of attacks which can be hidden in fragmented packets (which have no TCP header info at all) that would probably get through the firewall as a result of this option. NOTE!!! Once they know your machines, their OS, and the services running it is usually a trivial task to find the right exploit to compromise a machine. ----- Original Message ----- From: "Reed Mohn, Anders" <[email protected]> To: <[email protected]> Sent: Tuesday, April 30, 2002 4:12 AM Subject: Re: [FW-1] Non-SYN problems with NG FP2 / Will CP support for Non-SYN in the future? > > As I said, non-SYN passing use to be the default behavior but > > led to DoS > > problems. > > <out-of-my-league-warning> > > Would it be possible to implement an "Accept Non-SYN packets"- > setting on specific rules, or have a separate ruleset for this > kind of situation? > Would it be possible for CP to include such behaviour in the > FW? What would be the be dangerous side-effects of that? > > Cheers, > Anders :) > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|