[FW1] Streaming block and cookie conflict...

Thu, 31 Aug 2000 01:05:26 -0700 


Good morning all - long time reader, first time poster :)

Our CPFW-1 2000 SP1 install on an Ultra 10 running Solaris 2.6 is doing
something weird, and I cant see how it's doing it.  CP support have not
gotten back to me in the month I've contacted them.

To stop people streaming certain file types through our firewall, I've put
in the rule:

Net-internal    ->      Any     http-streamingblock     reject

Inside the streamingblock resource tied to the http service I've got the
following options enabled:

Connection Methods: Transparent
URI Match Specification Type: Wild Cards
Schemes: http
Methods: GET, POST, HEAD, PUT
Host: *
Path: *.{ra,rm,ram,asf,asx,wma,wa,wax,wvx,mp3}
Query: *

Now this works great - stops streaming media we dont want streamed (we
allow QT4 through).

However...

When a user logs into Netscape's Webmail
(http://home.netscape.com/webmail/index-f.html), a series of cookies are
set.  No probs, but when one in particular is set, then an error comes
up saying that the document contains no data.  All subsequent accesses to
any of Netscape's sites then come back with the same message.  The cookie
that is causing the problems is:

"
.netscape.com   TRUE    /       FALSE   1293840022      NS_REG         
SHA1=%88%0C%BB%D2%AD%8C%D1%EB%C2V%18%60OD%C7%D40%CA%CE%F7[-]UR%5FEMAIL=User%40netscape%2Enet[-]UR%5FREG%5FID=1697700%3ASWDv1
"

When one blocks this cookie, Webmail works fine (but is not a satisfactory
solution for the user).  When I turn off the streamingblock and accept the
cookie, Webmail works fine.  But when I've got both enabled, the problem
crops up.  How does my rule clash with this cookie?  It's not like any of
the file extensions are contained in the cookie.

BTW, we use Netscape Communicator 4.5 -> 4.75.  No IE, so haven't tested
it.

Thanks for your time - this is giving me gyp in a big way :)

- Symon...


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to