Thanks guys for response. Just a few more information: 1. In policy "Accept ICMP [Before Last]" is unmark 2. log implied rules checkbox is unmark too 3. The only "implied rules" I have is: ~FW1 Module Any Any accept - Gateway Any Enable Outgoing Packets 3. Im am not allowing ping in and out. 4. I have a rule on my policy: DMZ's to Internal net ...drop all the services. 5. In the log file on the firewall, daily I have around 700 ftp connection in and out with only one line in the log file: Client to ... ftp server! (I know for each connection should be 2 ports open)
I forgot to write in my previous email, on the line accepted with service 58103, on Info field is write " Violated unidirectional connection" I discovered the PING problem by mistake, I tried to sniff some traffic on the internal network and in the log file I sow a ping from a computer from DMZ!!! Any ideea on CP is working? Jo --- Don <[EMAIL PROTECTED]> wrote: > > Time action service source > destination proto rule > > 3:21:45 accept ftp 204.14.x.x 205.x.x.x > tcp 17 > > 3:21:45 accept - 10.x.x.x 204.14.x.x > icmp - > > 3:21:45 accept - 204.14.x.x 10.x.x.x > icmp - > > 3:21:48 accept 58103 205.x.x.x 206.x.x.x > tcp 0 > > > > In this log file 204.x, 206.x are address from > > Internet. 205.x is my ftp server public address > and > > 10.x is the ftp private address. > > > > Something strange: > > 1. ICMP accepted in both ways without rule and > without > > service...!?????? > > 2. Service accepted (58103) without rule in > > place..!???? > > > > I am running CP 4.1 SP 4 on Solaris. Any clue on > what > > is here? > The ICMP is accepted because you have "Accept ICMP > [Before Last]" in your > policy properties. > > The 58103 is because CheckPoint understands the FTP > protocol and you do > not. FTP works like this: You connect to the FTP > server. Then your client > gives the FTP server a port that it wants to accept > the data connection > on. Your client then opens this port and waits for > the FTP response. > CheckPoint understands this and allows the traffic > (As it is supposed to). > > -Don > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ______________________________________________________________________ Web-hosting solutions for home and business! http://website.yahoo.ca ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
