Hi, Becky. If you want your modification to be noticed you will probably
have to bounce the FW service that is logging (EMC or standalone, whatever
you have). That _should_ pick-up the change.
If you wanted to just see protocol and port numbers, you could remove
/etc/protocols and /etc/services respectively on a *nix host. THIS IS
PROBABLY NOT A SMART MOVE AND WILL BREAK THINGS. I'm just saying that it
_could_ be done.
Me, I prefer the opposite. I parsed the protocols and ports lists from IANA
and reused them as my /etc/protocols and /etc/services files on my EMC. If
I see weird stuff in the logs it ususally forces me to investigate further
and figure out what the issues is.
Case in point, I saw weird IP protocol 89 traffic (CP didn't know what it
was before I modified /etc/protocols) which was being denied. It turns out
that my internal routers were trying to redistribute routes up to my Nokias
via OSPF. That could have been an issue.
Chris
-----Original Message-----
From: Beckster
To: Luke, Jason (ISS Southfield); [EMAIL PROTECTED]
Sent: 2/9/01 5:13 PM
Subject: ADDENDUM - Interesting fix - Re: [FW1] "nameserver" in Service
column in log files?
Well, I hate to reply to my own posting, but when I shut down logviewer
and then re-opened, it reverted to "nameserver" again!!! So, sad to
say, "nameserver" has been commented out of my services file again.
My log file is working now with the following entries in my services
file:
domain-tcp 53/tcp nameserver # name-domain server
domain-udp 53/udp nameserver
# nameserver 53/tcp domain # name-domain server
# nameserver 53/udp domain
Does this seem like a weird/flaky bug to anyone else?
Becky
Beckster wrote:
>
> Jason!! What a great tip!!
>
> Actually I had to comment out the following four services at first,
> because after I commented out "nameserver", then just "domain" started
> popping up in the log files:
> # domain 53/tcp nameserver # name-domain server
> # domain 53/udp nameserver
> # nameserver 53/tcp domain # name-domain server
> # nameserver 53/udp domain
>
> And then I just renamed them to match the Check Point names:
> domain-tcp 53/tcp nameserver # name-domain server
> domain-udp 53/udp nameserver
>
> And then un-commented the nameserver entries, so now my services
> file looks like this:
> domain-tcp 53/tcp nameserver # name-domain server
> domain-udp 53/udp nameserver
> nameserver 53/tcp domain # name-domain server
> nameserver 53/udp domain
>
> Presto! My logs are working and now my "Service Selection Criterion"
> box is working properly when I want to select logs "In" or "Not in"
> domain-udp/domain-tcp. Very weird that CP logs are pulling names
> from my management NT services file???
>
> Thanks again for your assistance Jason.
>
> No longer disgruntled in Dallas,
> Becky
>
> p.s. Now why the heck does NT have 2 sets of entries in the
> Services file for port 53 udp/tcp? Too much too learn, too little
> time....
>
> "Luke, Jason (ISS Southfield)" wrote:
> >
> > 'nameserver' is just Port 53 DNS queries in disguise. I believe
your GUI
> > client is on NT and it is resolving port 53 traffic to nameserver,
which is
> > listed in the WINNT/system32/drivers/etc/services file. I think if
you
> > comment out that entry it will go back to being domain-tcp and
domain-udp in
> > the logviewer.
> >
> > Jason
> >
> <SNIP>
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
