[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Problem with stateful inspection
Hi I have a problem with a newly built NG Nokia (FP3) box, that seems to be treating traffic above tcp1024 as not stateful. Netbios and anything else below 1024 has been OK. (Me saying 1024 is just a believed level of things not working) I have a rule allowing the relevant traffic through, one problem for example is VNC and pcAnywhere. The scenario is explained in this example: Rule allows my pc (x.x.x.x) to get to a dmz server (y.y.y.y) When I connect from x.x.x.x to y.y.y.y with VNC or pcAnywhere my log entries show: ACCEPT time Q: x.x.x.x to y.y.y.y on tcp(VNC or pcAnywhere) from source port K BLOCK time Q + 2secs: [blanksource] to x.x.x.x on tcp (K) from source port tcp(VNC or pcAnywhere) In normal behaviour I believe I should only see 1 log entry, not 2. I'm guessing the block is a return packet back to my PC (x.x.x.x) The block is caught by my catch all drop rule at end of rulebase. And is blocked because it has no source IP address, i.e. doesn't match any other rule. For experimentation I setup a rule allowing any, any in both directions, then in the logs the second packet packet is still logged and accepted (not stateful behaviour), but VNC or pcAnywhere does not work. Something else I tried was to enable the Global Property for the policy "Drop Out of state TCP packets", with this enabled the above example shows the 2nd packet as an "Out of State" drop. I have also added: #define NO_SERVER_PORT_CHECK to base.def without any difference to the behaviour (as recommended by our NG Support people) It's not just VNC and pcAnywhere not working, our backup software which runs over high ports also fails. Does anyone have any ideas what could be causing this? Thanks Adam ************************************************************************ The contents of this message and any attachments are confidential and are intended solely for the attention and use of the addressee only. Information contained in this message may be subject to legal, professional or other privilege or may otherwise be protected by other legal rules. This message should not be copied or forwarded to any other person without the express permission of the sender. If you are not the intended recipient you are not authorised to disclose, copy, distribute or retain this message or any part of it. If you have received this message in error, please notify the sender by telephone (+44-20-7002-4000) and destroy the original message. We reserve the right to monitor all e-mail messages passing through our network. ************************************************************************ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|