Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] 4.1 SP5 SYN resets-- against boxes inside your own net

To: [email protected]
Subject: [FW-1] 4.1 SP5 SYN resets-- against boxes inside your own net
From: Russell Washington <[email protected]>
Date: Mon, 13 May 2002 14:54:10 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I have a client with a 4.1 SP5, NT platform firewall set up as an active SYN
Gateway.  In the logs of this firewall I am seeing increasing numbers of
rejects (message SYNDefender warning:  SYN -> SYN-ACK -> RST).  What is
interesting about these rejects is that the source IP is a random address
inside the protected LAN, and the destination IP is always a web server.

Some digging into this allowed me to reproduce the problem at will by
visiting http://www.bmw.com/e65/id14/3_a91_idrive.jsp
<http://www.bmw.com/e65/id14/3_a91_idrive.jsp>  from inside the LAN.
Sniffing the traffic turned up that the browser (IE 5.5 SP2, "critical
updated" to all blazes) was continually trying to refresh some content and
getting an HTTP 304 response from the web server (Netscape, I believe) in
response.  The browser didn't like the 304, and asked again, and again, and
again.  In the middle of all this activity the browsing box (Win2K, SP2,
again "critcal updated" to the nines) is spitting out ACK packets.
Eventually the firewall nukes the connection by sending a TCP reset to the
browsing box.

The running theory over here is that somewhere between the IE client and
Netscape server, something is ticking off the firewall, maybe even ticking
off the TCP/IP stack on the browser box.  Can't really tell.  It just looks
weird.

Has anyone else noted this, or more to the point, can someone more in the
know on this kind of oddball item duplicate this the way I did & offer some
insight?  The logs on this firewall are getting really irritating to look
through... :)

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Policy Editor and SR on same machine?
Next by Date: Re: [FW-1] backup interface wouldn't keep quite.
Previous by thread: Re: [FW-1] Policy Editor and SR on same machine?
Next by thread: [FW-1] OWA Access with 2-factor authentication
Index(es):
- Date
- Thread