NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Problem with stateful inspection



Hi

I have a problem with a newly built NG Nokia (FP3) box, that seems to be
treating traffic above tcp1024 as not stateful. Netbios and anything else
below 1024 has been OK. (Me saying 1024 is just a believed level of things
not working)

I have a rule allowing the relevant traffic through, one problem for example
is VNC and pcAnywhere.
The scenario is explained in this example:
Rule allows my pc (x.x.x.x) to get to a dmz server (y.y.y.y)

When I connect from x.x.x.x to y.y.y.y with VNC or pcAnywhere my log entries
show:
ACCEPT  time Q:                 x.x.x.x  to y.y.y.y on tcp(VNC or
pcAnywhere) from source port K
BLOCK   time Q + 2secs: [blanksource] to x.x.x.x on tcp (K) from source port
tcp(VNC or pcAnywhere)

In normal behaviour I believe I should only see 1 log entry, not 2.
I'm guessing the block is a return packet back to my PC (x.x.x.x)
The block is caught by my catch all drop rule at end of rulebase. And is
blocked because it has no source IP address, i.e. doesn't match any other
rule.

For experimentation I setup a rule allowing any, any in both directions,
then in the logs the second packet packet is still logged and accepted (not
stateful behaviour), but VNC or pcAnywhere does not work.

Something else I tried was to enable the Global Property for the policy
"Drop Out of state TCP packets", with this enabled the above example shows
the 2nd packet as an "Out of State" drop.

I have also added: #define NO_SERVER_PORT_CHECK to base.def without any
difference to the behaviour (as recommended by our NG Support people)

It's not just VNC and pcAnywhere not working, our backup software which runs
over high ports also fails.

Does anyone have any ideas what could be causing this?

Thanks
Adam


************************************************************************
The contents of this message and any attachments are confidential and
are intended solely for the attention and use of the addressee only.
Information contained in this message may be subject to legal,
professional or other privilege or may otherwise be protected by other
legal rules. This message should not be copied or forwarded to any other
person without the express permission of the sender. If you are not the
intended recipient you are not authorised to disclose, copy, distribute
or retain this message or any part of it.

If you have received this message in error, please notify the sender by
telephone (+44-20-7002-4000) and destroy the original message.

We reserve the right to monitor all e-mail messages passing through our
network.
************************************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.