Exit from your GUI client
Go to the Management Server.
Edit the $FWDIR/conf/objects.C
Skip down to the props() section
Add
: undo_msg (true)
Save your objects.C
Startup your GUI client
Reinstall your policy.
For more neat tricks with objects.C, from 3.0 to 4.1 SP2,
see the following that I have collected over the years and are
published in Resolution 1265 in the Nokia Knowledge Base.
--- Jerald Josephs
NOTE: The following entries into the properties section of the objects.C
file have been ordered into categories. Be careful because not all versions
of FireWall-1 support each of these entries. Each version of FireWall-1 has
introduced new entries, as documented in the relevant release notes. It is
implied that a later version of FireWall-1 supports an entry introduced by
an earlier version, but significant changes to INSPECT may obsolete an
earlier entry that is documented here.
DNS Security
:dns_verification (true) (New for 4.1 SP2)
This will add a pre-defined rule to any INSPECT code generated by a security
policy, represented by the macro, dns_verification_code. This rule will only
allow DNS queries or responses to be transmitted across port 53.
Certificate Validation
:use_cms_validation (false) (New for 4.1 SP1)
Forces VPN-1/FireWall-1 to validate Entrust certificates using the same
Check Point validation code it uses to validate OPSEC CA certificates.
Normally, VPN-1/FW-1 would use the Entrust CMS toolkit.
HTTP Security Server
:http_max_url_length (n)
Since release of 3.0b SP8 on other platforms, this increases the maximum URL
length that can be handled by the HTTP Security Server.
:http_log_every_connection (true)
This will log all sites that an HTTP authenticated user visits.
:http_buffer_size (32768) (New for 4.1 Base)
Increases the HTTP security server's buffer size
:http_sup_continue (true) (New for 4.0 SP5 and 4.1 SP1)
Enables the HTTP Security Server to support the HTTP 1.1 CONTINUE command.
:http_force_down_to_10 (true) (New for 4.0 SP5 and 4.1 SP1)
Forces the HTTP Connection down to version 1.0. Needed when working with CVP
servers.
:http_avoid_keep_alive (true) (New for 4.0 SP5 and 4.1 SP1)
Forces the HTTP Security Server to ignore the "Keep Alive" directive in HTTP
1.1, needed when working with CVP servers.
:http_cvp_allow_chunked (true) (New for 4.0 SP3)
:http_weeding_allow_chunked (true)
:http_block_java_allow_chunked (true)
:http_allow_ranges (true)
Allows the HTTP Security Server to handle downloads that occur as byte
ranges, used in HTTP 1.1.
:http_allow_double_slash (true) (New for 4.0 SP5)
:http_use_default_schemes (true)
Enables the HTTP Security Server to accept double slashes ('//') in a
substring of a URL. In order to allow this, the security server will define
a set of schemes that it will accept.
The default set includes prospero, gopher, telnet, finger, mailto, http,
news, nntp, wais, file and ftp. You may define new schemes, which will be
ADDED to this set.
In order to define additional schemes also add:
:scheme (":")
Where scheme_name is the name of the new scheme. For example, to define
http, you would add :scheme ("http:")
:httpd_use_host_h_as_dst (true)
SMTP Security Server
:smtp_rfc821 (false)
Configure the SMTP Security Server to work with non-compliant RFC821 mail
servers.
Authentication
It is possible to configure FireWall-1, when using partially automatic
client authentication, so that the redirection sent to the client will be
done according to the `host` header and not according to the destination IP.
:radius_ignore (255) (New for 4.0 SP4)
When handling RADIUS authentication FireWall-1 verifies that the RADIUS
attributes are such that appear in the RFC. If your system uses non-standard
RADIUS attributes, you can force FireWall-1 to ignore these attributes. In
order to do so you must add to objects.C an appropriate line for each such
attribute, giving its ID. The example is for an attribute with ID 255.
:automatically_open_ca_rules(true)
(3.0 series) Allows normal User or Session Authentication rules to
automatically perform a standard sign on for Client Authentication Rules. In
4.0, this is replaced by "Partially Automatic" and "Fully Automatic"
Sign-On.
:prompt_for_destination (true)
If this is true and there are User Authentication rules, a user will be
promoted for their final destination when they telnet to the firewall.
Policy Verification
:fw_light_verify (true) (New for 4.0 SP3)
With this Service Pack you may add a property which will enable light policy
verification, which means verification of each rule separately but no cross
rule verification. This option may decrease the policy installation time of
policies containing hundreds of rules.
FTP
:new_ftp_interface (true)
This enables one to establish an FTP connection through two firewalls which
require authentication and provides a slightly nicer interface to
authenticated FTP. See Resolution 1645 for more details.
SecuRemote
:userc_NAT (true) # for FWZ
:userc_IKE_NAT (true) # for ISAKMP
Enables 4.0 SecuRemote clients passing through address translation to
establish a VPN with a 4.0 packet filter module. This is for version 4.0
only. This works with Static NAT and Pool NAT fine. For Dynamic NAT, it will
only work is there is a single SR client behind each hiding IP address.
:fwz_encap_mtu (1)
When using SecuRemote with FWZ Encapsulation, versions 3.0 and 4.0 (EA) are
incompatible. Both combinations - SecuRemote 3.0 with FireWall-1 4.0, and
SecuRemote 4.0 with FireWall-1 3.0 have the same problem. It occurs only
with packets of a very specific size (total size close to MTU).
SecuRemote 4.0 (EA) and FireWall-1 4.0 (EA) fix the problem in
re-assembling, but will not interoperate with version 3.0. FireWall-1 4.0
SP-1 and SecuRemote 4.0 build 4003 now fragment in a backward compatible way
(with all versions)
This problem has been fixed with SecuRemote 4.0 Build 4003 (4005 is the most
current)
Miscellaneous
:undo_msg(true)
Prevent the security servers' banner from being displayed. This is more
discreet in that it does not advertive that Check Point FireWall-1 is
running on your platform
:skey_mdmethod (md5)
Force S/Key encoding method to use MD5, where MD4 is the default
:fwd_conn_tout(###)
This changes the FireWall-1 Control Connection timeout in order to deal with
the "Operation would block" error message that occurs during a policy
install. This is because the Control Module has not received timely response
from a remote packet-filter module. The default value is 25 seconds
:tcpendtimeout(####)
This property will control the amount of time before FireWall-1 removes an
entry from the connections table once a FIN packet is seen. In 4.0 SP5 and
in 4.1 SP1 it will be possible to change this value. To change this timeout:
:icmpcryptver (1)
Enables the use of Encryption and NAT simultaneously with ICMP. This puts
the firewall into a state where it cannot encrypt ICMP with FireWall-1 prior
to version 3.0 or with FireWall-1 3.0 or later that have not also
implemented this change.
:nat_limit (50000) (4.0 SP1 and later)
:nat_hashsize (65536)
Changes the maximum number of connections NAT will handle. The hashsize
should be a power of 2 close to the size of nat_limit. Note that this is
usually done in conjunction with increasing the maximum number of
connections beyond 25,000 as documented in Resolution 1325.
:manualminSPI (0x100)
:manualmaxSPI (0x10000)
This allows you to change the range of SPIs permitted by FireWall-1 for
Manual IPSec. SPIs that are not in this range are ignored.
:fwsynatk_ifnum ()
The above changes are needed if you wish to restrict SynDefender to the
External Interface.
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Dave Black" <[EMAIL PROTECTED]>; "Fw1 (E-mail)"
<[EMAIL PROTECTED]>
Sent: Tuesday, July 11, 2000 6:36 PM
Subject: Re: [FW1] Disabling Checkpoint 'banner' for FTP?
>
> Use "strings" against the application source file and it will provide you
> the line number in the source. Then submit an engineering mod request to
> Checkpoint to change the 220 message line.
>
> It is embedded in the source somewhere, I can't remember off the top of my
> head.
>
> /m
>
> At 04:08 PM 7/11/00 -0500, Dave Black wrote:
> >Hi all,
> >
> >I've looked on phoneboy.com and could not find the answer to this
> >question. When connecting to FTP thru a CP Firewall, how do you disable
> >the following "banner"?
> >
> >"220 aftpd: Check Point Firewall-1 Secure FTP server running on
machinename"
> >
> >I don't think it's a good idea to broadcast not only the type of
firewall,
> >but also the name of the machine that the firewall is running on.
> >
> >You can reply privately to
>
><mailto:[EMAIL PROTECTED]>dblack@extendedcare.<mailto:dblack@extended
care.com>com.
> >Thanks in advance.
> >
> >Dave Black
> >Senior Software Engineer
>
><mailto:[EMAIL PROTECTED]>dblack@extendedcare.<mailto:dblack@extended
care.com>com
> >
> >Home Page:
>
><http://www.daveblack.net/>http://www.daveblack<http://www.daveblack.net/>.
net
> >
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
