Surely I have anti-spoofing active. This is kinda similar to what I'm experiencing :
IF Service Source Target SrcPort eth1 6002 192.168.0.100 172.24.0.100 10023 eth3 12345 172.24.0.100 192.168.0.100 6002 The first case it's ok. I have 172.24.0.100 connected to the proper firewall interface (let's say eth3) listening on TCP 6002 (this is a range of registry fixed port, being it a micro$oft RPC). The source port is a high random assigned port. The second case, is what I'm not expecting: it's the same kind of connection, but FW1 sees it "inverted", the IF is changed, but I think it won't be appropriate to consider it address spoofing. Nevertheless I'm not expecting this behaviour... When stateful inspection is applied, connections on the second case are dropped, seen as out of state. Now I'll make the test you're suggesting... Lorenzo -----Messaggio originale----- Da: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Per conto di Charalambos Klitiropoulos Inviato: giovedì 28 luglio 2005 22.20 A: [email protected] Oggetto: Re: [FW-1] R: [FW-1] R: [FW-1] Inverted Connections Hello, now you got me confused. Given that VRRP is an active-standby mechanism, then under normal circumstances only one cluster member should be active at any given time. With this in mind, if packets for server A come out of your firewall from interface X and its replies go through interface Z, then the error should be about spoofed packets, provided you have enabled anti-spoofing checking. If the error is about out of state packets - and the error is generated by other than the active cluster member, then you should check your cluster. You can do that with commands "fw cpl pstat" and "fw tab -t connections -s". The first one provides information about FW-1's synch mechanism and under normal operation you should see that the total number of sync packets is non zero and increasing. The second one gives you information about the number of connections the firewall knows of and under normal operation the values must be close in each cluster member. You can find more information about these commands in Check Point's KB. On 7/28/05, Lorenzo <[EMAIL PROTECTED]> wrote: > > Yep I know, the actual configuration is really absurd (I mean I'm > paying lotsa money to have kinda kernel 2.2 linux firewall)... This > is, as you guessued, a big installation and, yes, there's an async > routing (I mean the "returning" connections pass thru a different > interface). In your opinion, how can I check if the syncronozation is > working correctly ?(I'm using Nokia with VRRP and, as far as I know, > the nodes switch correctly from one to another. CP is configured with > VRRP and there's a syncro net with a heartbeat interface. The only > difference in my config with Nokia's suggested one is that the two IP > appliances are linked via a crossed cable instead of a switch). > > Thanx in advance > > Lorenzo > > -----Messaggio originale----- > Da: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] Per conto di > Charalambos Klitiropoulos > Inviato: martedì 26 luglio 2005 23.54 > A: [email protected] > Oggetto: Re: [FW-1] R: [FW-1] Inverted Connections > > Disabling stateful inspection will convert a (expensive) stateful > firewall into a plain packet filtering firewall. Could there be a case > of asynchronous routing (where incoming packets take a different route > than outgoing)? Maybe a high availability configuration with > non-working synchronization? Please note that I have seen drops like > that in the past (confirmed without asynchronous routing), but every > case was in a large installation and the percentage of dropped > connections was far too low to be a real problem for the users. > > On 7/26/05, Lorenzo <[EMAIL PROTECTED]> wrote: > > > > Yes. It's seen as out of state... Obviously if I disable the check > > on stateful TCP packets the connection works... > > > > -----Messaggio originale----- > > Da: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] Per conto di > > Charalambos Klitiropoulos > > Inviato: lunedì 25 luglio 2005 21.31 > > A: [email protected] > > Oggetto: Re: [FW-1] Inverted Connections > > > > Hello, > > > > is there any information in the information column? There can be > > cases where > > FW-1 will drop a connection because of an invalid TCP packet or > > because of a SmartDefense setting. Even if that connection was > > originated by HOST1, but > > SERVER1 sent a packet that FW-1 does not consider to be correct, the > > drop log entry will show that source was SERVER1 and destination was > > HOST1. But in every such case you should see some comment in the > > information column that explains why FW-1 dropped that packet. > > > > On 7/25/05, Lorenzo <[EMAIL PROTECTED]> wrote: > > > > > > Hi guys > > > Does anybody has had the same problem ? > > > Basically, I'm exptecting a connection from HOST1 to SERVER1 on > > > TCP port, let's say, 6000. This happens, but sometimes I see on > > > the tracker that there are some connections from SERVER1 to HOST1, > > > with a "random" destination port and 6000 as source port. > > > > > > I'm wandering if this could be a CheckPoint problem.... > > > > > > Thanx in advance > > > > > > Lorenzo > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, please see the instructions > > > at http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your subscription > > > options, email [EMAIL PROTECTED] > > > ================================================= > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions > > at http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription > > options, email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions > > at http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription > > options, email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
