On Thu, 5 Jul 2007, Crist Clark wrote:
A third party vendor has this little piece of advice
in a technical document,
We have seen issues with Checkpoint NG firewalls and
their use of the ÿÿSmart Connection Reuseÿÿ feature. It
is apparently enabled by default... We have found this
behaviour working improperly [sic], and this feature
should be disabled.
I'm having trouble finding "Smart Connection Reuse"
in Check Point documentation. Any ideas to what they
are referring?
It means that the firewall keeps information about connections for a
number of seconds after the connection is finished.
Any normal application will use a fresh source port and never be bothered
by this security restriction. After all someone trying to sneak in packets
over a supposedly dead connection could very well be a sign of malicious
activities and so Check Point will not allow such packets for 60 seconds.
(From the top of my head)
Poorly designed applications sometimes do reuse the same source port as
they seem to be totally unaware of statefull firewalls. I guess these
application will also very happily assume that a connection will be alive
at all times and not be shot down by something silly as an hour of
inactivities.
Hugo.
--
[EMAIL PROTECTED] http://hugo.vanderkooij.org/
This message is using 100% recycled electrons.
Some men see computers as they are and say "Windows"
I use computers with Linux and say "Why Windows?"
(Thanks JFK, for the insight.)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
