David,
I didn't install SP2 yet, but reading the release notes about this that came with SP2.
Checkpoint claims to allow traffic in stateful manner, i.e it will allow only valid return packets by checking if the connection (valid and allowed by rulebase) had been registered in connection table. (fw tab). If not it will reject the return packets. Until FW-1 (4.1, SP1), checkpoint used to allow return packets by checking its connection existence in connection table (i.e based on source IP, source port, Dest IP, Dest port) and then in return packet it checks if the packet is other than SYN packet. This works great, and even if if you reboot FW or fwstop;fwstartt it will allow established connection again. As established connection will transmit NON-SYN packets (example: ACK packets)) through FW and FW will log the connection back in table.
This has some serious drawbacks like anybody can send ACK (FIN, FIN/ACK etc.) packets through the FW (if rulebase allows the connection) without sending SYN packets first. Moreover you can send ACK (or other NON-SYN packets) from outside to inside (in which case normally rulebase deny connection) (if you know about already established connection (i.e SRCIP, SRC_PORT, DEST_IP,DEST_PORT) registered in connection table. (This is difficult to know for intruders). But people inside your FW can quickly fill up connection table just by sending fake ACK packets from inside to outside even if host doesn't exist on INternet.
There is a very nice paper written by Lance Spitzner http://www.enteract.com/~lspitz/papers.html (Understanding the FireWall-1 State Table ), this covers upto FW-1 , 4.1 SP1.
But now looks like Checkpoint in 4.1(SP2) decided not to allow these non-SYN packets and thus you are seeing different behavior.
[[ Remember: Security is inversely proportional to convenience ]]
Rajeev
I upgraded a Solaris 2.6 machine from 4.1SP1 with the Hotfix to SP2I immediately noticed that some external inbound connections that
worked fine before, were being refused. I would get a rule 0 drop
with the message "unknown established TCP packet". The inbound connections
were for some standard TCP services as well as allowing for external FW1
connections from certain hosts to the management station/firewall (ie.
no unusual protocols).In the release notes, they talked about enhancements in SP2 to
prevent some "unauthorised packets" from getting through. They said
you could stop this "upgrade feature", by uncommenting. the line#define ALLOW_NON_SYN_RULEBASE_MATCH
I uncommented this and reloaded and the connections then worked.
Anyone seen this problem with SP2? Anyone know why the default
SP2 patch might behave this way?Also, after doing the upgrade we've noticed that some outbound HTTP connections
sometimes just seem to stop. If you do a refresh in the web browser the
page comes through. We aren't using any of the content servers/proxies, so
I would think this must be packet related.Any help/info/experiences anyone can provide would be greatly appreciated.
Thanks,
David Perlin
[EMAIL PROTECTED]================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
-- ################################################################## Rajeev Kumar ([EMAIL PROTECTED]) ==> Web:: http://www.rajeevnet.com <== ##################################################################
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
