NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] TCP Packet out of state messages



FireWall-1 NG is much more picky about TCP state than in previous versions
of FireWall-1, as such some applications have issues.  If the only side
effect you are seeing is logs (your not noticing an application not working)
then its not so bad.  I don't think it is detrimental to disable tasteful
inspection as long as you are only turning it off as a mitigating factor
while you try and figure out what is causing this symptom.  One
troubleshooting method is to modify the $FWDIR/lib/user.def file to prevent
state inspection on certain ports.

// User defined INSPECT code
//

deffunc user_accept_non_syn() { dport = 80 };

In this example you will not be checking for state on port 80 traffic.
Remember that if you upgrade in the future the user.def file may be
overwritten and any changes you have made to it may have to be rewritten.
If you are using VRRP make sure the time is synchronized.  If you are using
NAT make sure there is no asynchronous routing.  Use tcpdump to get a better
idea of what is out of state.  And remember, even though they are out of
state they are still getting analyzed by the rule base.  And be sure to tell
the list if you discover anything!


Mitchell E Rowton
-------------------
Network Security Engineer
CCNP, CCDP, CCSA, NSA IAM, Network+
----------------------------
Free security white papers
http://www.rowtonconsulting.com


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Mark
Ward
Sent: Saturday, February 01, 2003 4:26 AM
To: [email protected]
Subject: Re: [FW-1] TCP Packet out of state messages


Why dont you just choose to stop logging them. You should not really allow
them through as they are not established.
----- Original Message -----
From: "egonle" <[email protected]>
To: <[email protected]>
Sent: Friday, January 31, 2003 8:37 PM
Subject: Re: [FW-1] TCP Packet out of state messages


IMHO, you shouldn't select that option. It will enable fw-1 to forward (out
of state) packets according to the rulebase. That means a new connection
does not have to be setup by a 3-way tcp handshake just an ACK bit set is ok
to allow the connection.

"Laidlaw, Rob" <[email protected]> wrote:

>The option tells checkpoint when its confronted with an out-of-state
packet, should it try to recove the session or just drop it.  It will not
get rid of the out-of-state packets because something has caused it to be
flagged as out of state, for instance, traffic to a dynamic nat after the
translation has expired.
>
>Hope this helps.
>
>Rob
>
>-----Original Message-----
>From: John Hall [mailto:[email protected]]
>Sent: Wednesday, January 29, 2003 11:22 AM
>To: [email protected]
>Subject: [FW-1] TCP Packet out of state messages
>
>
>I am planning to:
>
>Select: Drop out of state TCP packets option under Stateful Inspection in
>Global Properties on NG FP2 in order to rid myself of those TCP Packet out
>of state messages.I assume this will do the job. Are there any unwelcome
>side effects?
>Should I reboot the machine after selecting this option?
>Our firewall is in a Solaris 8 HA configuration.
>
>
>Thanks
>
>John
>
>
>+++++++++++++++++++++
>           John Hall
>       TD Waterhouse
>       201 Deansgate
>       Manchester UK
>      DDI>        Internal 36235
>www.tdwaterhouse.co.uk
>+++++++++++++++++++++
>
>
>
>
>---------------------------------------------------------------------------
--------------------------------------------------------------------
>
>Notice for email communications.
>
>Confidentiality:  This email and its attachments are intended for the above
>named only and may be confidential.  If they have come to you in error you
>must take no action based on them, nor must you copy or show them to
>anyone; please reply to this email and highlight the error.
>
>Viruses:  Although we have taken steps to ensure that this email and
>attachments are free from any virus, we advise that in keeping with good
>computing practice the recipient should ensure that they are actually
>virus-free.
>
>A subsidiary of the Toronto-Dominion Bank, TD Waterhouse Investor Services
>(Europe) Ltd is a member of the London Stock Exchange and OFEX and is
>regulated by the Financial Services Authority. Registered in England No.
>2101863. Registered Office 14/18 Finsbury Square, London EC2A 1DB. VAT
>Registered No. 397 1030 51.
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>Disclaimer - 01/29/2003
>This information in this email is confidential and may be legally
privileged. It is intended solely for Mailing list for discussion of
Firewall-1.  Access to this Internet email by anyone else is unauthorized.
>
>EnvestnetPMC, Inc. does not accept time-sensitive transactional messages,
including orders to buy and sell securities, account allocation
instructions, or any other instructions affecting a client account, via
e-mail.
>
>If you are not the intended recipient of this email, any disclosure,
copying, or distribution of it is prohibited and may be unlawful.  If you
have received this email in error, please notify the sender and immediately
and permanently delete it and destroy any copies of it that were printed
out.  When addressed to our clients, any opinions or advice contained in
this email is subject to the terms and conditions expressed in any
applicable governing EnvestnetPMC terms of business or agreements.
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now!
http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.