SP1 on a 2003 box already. You're a brave sole. You installed it on a DC too....
My condolences to you and your server. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Covington, Chris Sent: Thursday, April 21, 2005 8:40 AM To: [email protected] Subject: Re: [FW-1] drops on rule 995 for port 135? Martin, I changed #define ALLOW_135 1 back to #define ALLOW_135 0 and made the #define NO_ENFORCE_CNTX_NUM 1 change to dcerpc.def and that did it! Thanks for the advice, I really appreciate it. Even #define ALLOW_135 1 doesn't fix the rule 995 drops (which will happen if you have a Windows 2003 SP1 Domain Controller trying to do replication through FW-1). --- Chris Covington IT Plus One Health Management 75 Maiden Lane Suite 801 NY, NY 10038 646-312-6269 http://www.plusoneactive.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Martin Benuska Sent: Thursday, April 21, 2005 3:44 AM To: [email protected] Subject: Re: [FW-1] drops on rule 995 for port 135? Hello, Rule number 995 means that you had a bind/alter-context request with more than one UUID in it. We don't allow it by default as it been used on some attacks but there is an inspect flag that allows it (and keep the security). In $FWDIR/lib/dcerpc.def there is a flag #define NO_ENFORCE_CNTX_NUM 0 That should be changed to #define NO_ENFORCE_CNTX_NUM 1 Regards. On 4/20/05, Covington, Chris <[EMAIL PROTECTED]> wrote: > > Hi all, > > I've been killing myself researching an Active Directory replication > problem and it turns out that FW-1 is the culprit: > > Number: 7770 > Date: 20Apr2005 > Time: 13:43:18 > Product: VPN-1 & FireWall-1 > Interface: eth1 > Origin: fw1 (x.x.x.x) > Type: Alert > Action: Reject > Protocol: tcp > Service: 135 > Source: zor (10.20.6.3 <http://10.20.6.3>) > Destination: saturn.plusone.com <http://saturn.plusone.com> > (10.0.2.5<http://10.0.2.5> > ) > Rule: 995 > Source Port: 2853 > > Does anyone know how to allow this traffic to pass? What is rule 995 > anyway? > > thanks > --- > Chris Covington > IT > Plus One Health Management > 75 Maiden Lane Suite 801 > NY, NY 10038 > 646-312-6269 > http://www.plusoneactive.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
