Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Smart Defense "Small PMTU" attack

To: [email protected]
Subject: Re: [FW-1] Smart Defense "Small PMTU" attack
From: Manish Garg <[email protected]>
Date: Thu, 31 Jul 2003 08:55:27 +0530
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Ya,

I am also facing the same problem. I have NG-FP3 installed in my office. One
of my partners want to access a webserver in the DMZ and he is being
rejected by Smartdefense.

Some one suggested me to enable ICMP requests for Type 3 code 4...which did
not actually work.

Someone  else suggested me that I should disable Smartdefense->Small PMTU
detection ...which could be dangerous...

Still looking for a solution.


MG
-----Original Message-----
From: Misha Alikov [mailto:[email protected]]
Sent: Wednesday, July 30, 2003 10:54 PM
To: [email protected]
Subject: [FW-1] Smart Defense "Small PMTU" attack


I have an NG-FP1 Management Server that controls a mixture of NG-FP1 and
41-SP6 Enforcement Modules at remote locations.

Just recently, a user behind one of my 41-SP6 Enforcement Modules attempted
to access (HTTP) a Web Server behind an NG-FP3 Firewall within a separate
organization, and was stopped by their Smart Defense system - reason given
was "Small PMTU" attack.

This sounds like a "false positive" to me, but I'm curious to know if anyone
else has encountered this issue, and/or what anyone might suggest I do as a
workaround.

ps. I should mention that I have ":ipsec_dont_fragment (false)" set in
    my NG-FP1 Management Server's $FWDIR/conf/objects_5_0.C file for
    each of my remote Enforcement Modules.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- [FW-1] Armoring AIX/Win/Linux/Solaris for NG
  - From: Antonio Costa <[email protected]>

Prev by Date: [FW-1]
Next by Date: Re: [FW-1]
Previous by thread: [FW-1] Smart Defense "Small PMTU" attack
Next by thread: [FW-1] Armoring AIX/Win/Linux/Solaris for NG
Index(es):
- Date
- Thread