My firewall seems to be generating TCP RPC traffic all on its own. It's pretty strange. I've done some snoops on the traffic to get a packet capture. When the connection is successful the firewall does a dump of the RPC services on the remote machine (like an 'rpcinfo -p <host>' does).
It's freaking me out a bit. The firewall itself is the _source_ of the connection attempts. There are no rules allowing this traffic. There are no entries in the logs of the connection attempts. In fact, the connections should be blocked. If I do an 'rpcinfo -p <host>' on the firewall to one of the machines the firewall is _successfully_ connecting to on its own, the attempt is dropped and logged. All the more reason to believe it is the Check Point software itself doing this and ignoring its own policy. The connections the firewall tries seem to correlate to other machines trying to reach the same hosts. It seems like some host A tries to, say, connect to host B on SMTP (25/tcp), but this is not allowed by policy. The firewall itself makes a connection attempt to host B on 111/tcp before logging the deny for 25/tcp. The 111/tcp is not logged. I'm guessing this has something to do with enabling TCP RPC services. However, no where have I seen documentation mentioning that the firewall is going to be running around doing RPC dumps on machines everytime someone wants to make any TCP connections. Does anyone have more info on this or seen this before? -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
