[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] TCP Packet out of state messages
FireWall-1 NG is much more picky about TCP state than in previous versions of FireWall-1, as such some applications have issues. If the only side effect you are seeing is logs (your not noticing an application not working) then its not so bad. I don't think it is detrimental to disable tasteful inspection as long as you are only turning it off as a mitigating factor while you try and figure out what is causing this symptom. One troubleshooting method is to modify the $FWDIR/lib/user.def file to prevent state inspection on certain ports. // User defined INSPECT code // deffunc user_accept_non_syn() { dport = 80 }; In this example you will not be checking for state on port 80 traffic. Remember that if you upgrade in the future the user.def file may be overwritten and any changes you have made to it may have to be rewritten. If you are using VRRP make sure the time is synchronized. If you are using NAT make sure there is no asynchronous routing. Use tcpdump to get a better idea of what is out of state. And remember, even though they are out of state they are still getting analyzed by the rule base. And be sure to tell the list if you discover anything! Mitchell E Rowton ------------------- Network Security Engineer CCNP, CCDP, CCSA, NSA IAM, Network+ ---------------------------- Free security white papers http://www.rowtonconsulting.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Mark Ward Sent: Saturday, February 01, 2003 4:26 AM To: [email protected] Subject: Re: [FW-1] TCP Packet out of state messages Why dont you just choose to stop logging them. You should not really allow them through as they are not established. ----- Original Message ----- From: "egonle" <[email protected]> To: <[email protected]> Sent: Friday, January 31, 2003 8:37 PM Subject: Re: [FW-1] TCP Packet out of state messages IMHO, you shouldn't select that option. It will enable fw-1 to forward (out of state) packets according to the rulebase. That means a new connection does not have to be setup by a 3-way tcp handshake just an ACK bit set is ok to allow the connection. "Laidlaw, Rob" <[email protected]> wrote: >The option tells checkpoint when its confronted with an out-of-state packet, should it try to recove the session or just drop it. It will not get rid of the out-of-state packets because something has caused it to be flagged as out of state, for instance, traffic to a dynamic nat after the translation has expired. > >Hope this helps. > >Rob > >-----Original Message----- >From: John Hall [mailto:[email protected]] >Sent: Wednesday, January 29, 2003 11:22 AM >To: [email protected] >Subject: [FW-1] TCP Packet out of state messages > > >I am planning to: > >Select: Drop out of state TCP packets option under Stateful Inspection in >Global Properties on NG FP2 in order to rid myself of those TCP Packet out >of state messages.I assume this will do the job. Are there any unwelcome >side effects? >Should I reboot the machine after selecting this option? >Our firewall is in a Solaris 8 HA configuration. > > >Thanks > >John > > >+++++++++++++++++++++ > John Hall > TD Waterhouse > 201 Deansgate > Manchester UK > DDI> Internal 36235 >www.tdwaterhouse.co.uk >+++++++++++++++++++++ > > > > >--------------------------------------------------------------------------- -------------------------------------------------------------------- > >Notice for email communications. > >Confidentiality: This email and its attachments are intended for the above >named only and may be confidential. If they have come to you in error you >must take no action based on them, nor must you copy or show them to >anyone; please reply to this email and highlight the error. > >Viruses: Although we have taken steps to ensure that this email and >attachments are free from any virus, we advise that in keeping with good >computing practice the recipient should ensure that they are actually >virus-free. > >A subsidiary of the Toronto-Dominion Bank, TD Waterhouse Investor Services >(Europe) Ltd is a member of the London Stock Exchange and OFEX and is >regulated by the Financial Services Authority. Registered in England No. >2101863. Registered Office 14/18 Finsbury Square, London EC2A 1DB. VAT >Registered No. 397 1030 51. > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= >Disclaimer - 01/29/2003 >This information in this email is confidential and may be legally privileged. It is intended solely for Mailing list for discussion of Firewall-1. Access to this Internet email by anyone else is unauthorized. > >EnvestnetPMC, Inc. does not accept time-sensitive transactional messages, including orders to buy and sell securities, account allocation instructions, or any other instructions affecting a client account, via e-mail. > >If you are not the intended recipient of this email, any disclosure, copying, or distribution of it is prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies of it that were printed out. When addressed to our clients, any opinions or advice contained in this email is subject to the terms and conditions expressed in any applicable governing EnvestnetPMC terms of business or agreements. > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|