Thanks Chontzopoulos,
I've setup the rules exactly as below, but it still doesn't work. I built a
second FW with the OS and fw ver and it works on there, however I've gone
through the settings of both of them and I cannot find anything different, I
must be missing something very simple.
Thanks
>From: "Chontzopoulos, Dimitris" <[EMAIL PROTECTED]>
>Reply-To: Mailing list for discussion of Firewall-1
><[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: [FW-1] Nimda Uri
>Date: Mon, 11 Mar 2002 10:19:42 +0200
>
>I have created the following:
>
>"General" Tab
>==========
>Name : Block-Exploits-Http
>Comment : Nimda-Sand-CodeRed
>Connection Methods : Transparent, Proxy
>Exception Track : Log
>URI Match Specification Type : Wild Cards
>
>"Match Tab"
>=========
>Schemes : http, ftp, gopher, mailto, news,
>wais, Other: *
>Methods : GET, POST, HEAD, PUT, Other: *
>Host : *
>Path :
>{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*,
>*sample.exe*,*csrss.exe*,*httpodbc.dll*}
>Query : *
>
>"Action" Tab
>=========
>Replacement Unit :
>http://no.exploits.allowed.com (This way you send a redirect to the host
>trying to exploit you, so the connection he initiated does not time out on
>your firewall. You send a redirection that doesn't exist, so the attacker
>times out while trying to resolve the non-existent domain)
>All others : none, blank
>
>The most important follows:
>1. The "Nimda HTTP-Resource" must be placed at the top of your rule
>base
>2. After the "Nimda HTTP-Resource" you should place all other
>"HTTP-Resources" you may want to use in order to block downloads,
>Web-Sites,
>etc
>3. After the other HTTP-Resources you may define you must create a
>rule
>that will accept all other "Legal" HTTP/FTP browsing etc
>
>Sample Configuration
>================
>No.1 Any Any http-> Block-Exploits-Http
>Drop Long Firewall
>No.2 Any DMZ_Web_Servers_Group Http, Https, Ftp
>Accept Long Firewall
>
>I am using the exact scenario in the company i am working for and it works
>like a charm. If you define a Resource Droping traffice, you should also
>create a rule permiting the rest of the traffic. I had the same problem as
>you did when i first something similar to yours. Don't forget to put the
>non-existent redirection. Please let me know either it works or not. Thanx.
>
>-----Original Message-----
>From: Joe Bloggs [mailto:[EMAIL PROTECTED]]
>Sent: Sunday, March 10, 2002 12:23 PM
>To: [EMAIL PROTECTED]
>Subject: [FW-1] Nimda Uri
>
>
>We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal IP's
>therefore FW is not doing any NAT. Problem is that if I enable the
>recommended rule to block nimda/code red ie create uri and add to resource
>with rule any->any>http>nimda_uri, it blockes all access to the web servers
>from internally and externally and the log does not show anything. Any help
>appreciated.
>
>Our platform: Win2K SP2, FW-1 4.1 SP5
>
>_________________________________________________________________
>MSN Photos is the easiest way to share and print your photos:
>http://photos.msn.com/support/worldwide.aspx
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
