Et al ...
'Ere's some additional info, please "/dev/null" if already known/discussed ... cpstop -fwflag –default : shutdown processes and load default filter cpstop -fwflag -proc : shutdown processes and keep former kernel policy and maintains the connection table so that after cpstart you will not experience any “out of state” related packets dropped. To check the current IP forwarding setting use the commands: $FWDIR/boot/fwboot bootconf get_ipf To check the current Default filter setting use the command: $FWDIR/boot/fwboot bootconf get_def To remove or install both initial policy and default filter at once, from one command line: control_bootsec -r (remove) # control_bootsec -g (generate) Note: on UNIX platforms the boot settings are in the $FW_BOOT_DIR/boot.conf file. On Win32 platforms it is in the registry at: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters” This Allows the FireWall-1 administrator to take down the FW processes (i.e fwstop) for maintenance without exposing the FireWall machine to attacks: ’fwstop -default’ - Stops the FireWall processes and loads the Default Filter ’fwstop -proc’ - Stops the FireWall processes but keeps the current kernel policy Step by step Default Filter creation instructions: 1. Use an existing defaultfilter file as a source template: you can find the templates in: $FWDIR/lib/defaultfilter.* there should be 3 files defaultfilter with these file extentions: boot,dag,drop 2. Copy the defaultfilter.boot to a defaultfilter.customized and edit your customized copy according to the example below. 3. Backup your original $FWDIR/conf/defaultfilter.pf 4. Copy your customized file: defaultfilter.customized to: $FWDIR/conf/defaultfilter.pf for example: ”copy $FWDIR/lib/defaultfilter.customized $FWDIR/conf/defaultfilter.pf” 5. Compile your new customized policy by running the command: fw defaultgen 6. Afterwards: copy the newly compiled $FWDIR/state/default.bin to $FWDIR/boot/default.bin on unix’s or to c:\winnt\system32\...\default.bin Cheers Andrew CSC Computer Sciences Limited Registered Office: Royal Pavilion, Wellesley Road, Aldershot, Hampshire, GU11 1PZ, UK Registered in England No: 0963578 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Lari Luoma <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> 15/11/2007 20:21 Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To [email protected] cc Subject Re: [FW-1] default policy FW control connections are allowed in the initial policy, aren't they? -lari- -----Original Message----- From: Mailing list for discussion of Firewall-1 on behalf of cisco4ng Sent: Thu 11/15/2007 5:15 PM To: [email protected] Subject: Re: [FW-1] default policy default policy will block EVERYTHING including ssh. Here is what I would do: 1) create a small script like this call unload_me: #!/bin/csh source /opt/CPsuite-R65/svn/tmp/.CPprofile.csh /opt/CPsuite-R65/bin/fw unloadlocal /opt/CPsuite-R65/bin/fw unloadlocal 2) put in cron and set it to run every 5 minutes: utc 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,25,30,35,40,45,50,52,53,54,55,56,57,58,59 * * * * [ -x /var/emhome/monitor/fwuser/scripts/unload_me ] && /var/emhome/monitor/fwuser/scripts/unload_me > /dev/null 2>&1 3) now reset your SIC, 4) once you're done with SIC, the script will unload the default policy, 5) comment out the line in step 2, Easy right? Din Cox <[EMAIL PROTECTED]> wrote: Yes this can be done via ssh assuming you allowed such access to the firewall. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Addy Sent: Thursday, November 15, 2007 9:22 AM To: [email protected] Subject: [FW-1] default policy Hi All Might be a silly question, so bear with me!! Resetting sic on the firewall restarts and then load the default policy, i know you can unload this by doing fw unloadlocal from the console. My question is there any way this could be done without console access, via ssh or does the default policy stop all connections to the firewall? I don't think so but i could be wrong, is there any other back door? Many thanks --------------------------------- Never miss a thing. Make Yahoo your homepage. Scanned by Check Point Total Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
