Re: BGMP

[Adam Safier]

Firfewall-1 listens to a series of management ports on all interfaces if the "Accept VPN-1 & Firewall ...."  implied rule under Security Policy is checked.  Bombarding the management ports with malformed / oversized packets could cause old (2.1) FW-1 to hang hard - a DoS.  I don't know if they fixed it.  The work around I came up with was to add a rule 1 so that it only allowed management ports to and from internal trusted hosts and then I uncheck the implied rule.  I ran into trouble with this method in FW-1 4.1 during a rush install (locked ourselves out) so we left the implied rule checked and blocked the ports with an ACL on the external router, just in case CP had not fixed the DoS vulnerability.    Adam     Adam Safier Global Systems & Strategies, Inc (GSS) 7000 Security Blvd, Suite 300 Baltimore, Md. 21244 (443) 436-6393 [EMAIL PROTECTED] ----- Original Message ----- From: L�tfi Yelkenci To: Thiago Calicchio ; [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 2:07 AM Subject: RE: BGMP They are for firewall's management services... Lutfi   -----Original Message----- From: Thiago Calicchio [mailto:[EMAIL PROTECTED]] Sent: Friday, March 01, 2002 9:20 AM To: [EMAIL PROTECTED] Subject: BGMP   I performed a portscan on my firewall. Its listening on ports 264 and 265. What are they for?