Dear Mr Gunjan,
Solution1: Error messages in
ahttpd.log\ahttpd.elg
These messages are no
Isn'it it possible to specify a rule with the value of the ACK bit ? This
way, you should be able to make the differences between the packets
initiating connections form the DMZ to the LAN (ACK=0) and packets beeing
part of a connection (LAN<->DMZ : ACK=1).
I'm not familiar enough with FW1 to be m
Hi,
I'm useing Checkpoint firewall, and now looking for HA
features. for the same I have few queries:
How actualy HA works.
We are planning three Identical Database servers on three
diff. locations and Can we use HA software to configure in such a way, that
If one database goes down
Hi,
for what ahttpd.elg is used ? I checked this file
and in this I found fewmessages what is the meaning of those
messages.Connection closed Prematurely.New header length execeded
max_header_lengthCannot connect to WWW-servermy ahttpd file is field
more then 99% by first message.What is
I'm trying to figure out if I have a nat problem.
I have a nokia 333 connected to a cisco router
via T1 through the serial port.
Using securemote I can connect to the nokia box
from there I can telnet to the cisco router but,
once inside the cisco router I cannot ping out to the internet.
I have
Hi folks,
I'm new with this. Couple of months ago we have a
working VPN Secure Server (4.1) and SecureRemote
Client. (Installed using WINS and FWZ Authentication
on the firewall side).
Lately we try to install a new secure remote client on
a new dial-up computer, the problem is the client
can't s
Dear Sirs,
How can I define a new service which require two
connection and one of the connection is using dyanmic
port ?
Do I need to know how to write the Inspection language
in order to do so ?
Please let me know where can i get more information
regarding it.
Thank you very much for your h
Hello again,
Sorry to perpetuate the thread, but before letting the topic rest I must
respond to a few points made by Mark Boltz of StoneSoft in his post this
morning:
He wrote, "Mr. Decker made it known in some personal correspondence that the
Web site is undergoing revision, and so 1.5 should
Arg!
I am familiar with VBS
perhaps read my message again.
No .vbs was sent to the list as far as I can figure out. ( i have checked
our smtp mail archives and there is no vbs in the message sent)
I was just trying to be helpful to other list members that may be concerned
that they have somehow b
If you will notice the extension of the removed filename... It was vbs.
Don't ring a bell, huh? Windoze users have to fear that stuff...glad I
don't have that issue. But, that is how the l0ve letter virus got
around. It relied on the inherent flaws of windoze and the vb stuff.
In this case it
Place a private dns name server in the private network. Place the public
dns server
out on one of the dmz's. Several articles written on split dns and
how to harden your dns
name servers from the bad guys. Check out securityportal.com for one
location.
merlin
Chinnery Paul wrote:
Currently us
Could a solution for some people be . allow anybody ping a machine on
your DMZ (a 386 running tcp). This way you only have one machine potentially
subject to the POD.
All a ping does is check that the path to a machine is available.
It cannot tell if services/daemons are running.
So what ar
Hi all,
Since around 24 Sep we have been receiving a large number of nbname probes
from seemingly random sources. These are not the typical scan that goes
through your complete address range and then passes on.
They occur throughout the 24 hour day (around 600 per day). Destination and
source s
Hi,
I am running CKPfw ver 4.0 build 4094. I have had an interesting
thing brought to my attention. It seems that window media player,
(which is becoming more popular) does not work.
I did a bit of playing around, and my rule:
any firewallany reject
rule is the rule that doe
For what it's worth, "nessus" is absolutely a must have, for anyone
running over-the-network audits of other systems. The paradigm I
use to describe it is the early open source web server one: Apache.
Started out less capable than other servers, but with open source
behind it, rapidly increased
Um.. the mail Örjan Sjöström sent did not contain the VBS code , well at
least the one sent to me did not.
I think some peoples AV software is a bit sensitive at the moment and you
are getting false positives. This has been quite common when AV vendors put
"quick fixes" out. They tidy it up late
http://dmoz.org/Computers/Security/ - all the security resources you can
shake a stick at
http://www.google.com - search for security, computer security.
http://www.technotronic.com/ - security
http://www.cert.org/ - security
http://dmoz.org/Computers/Security/Advisories_and_Patches/Subscr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Not all pings are bad pings. ICMP protocol can be used for a number
of things. ICMP is just another IP Protocol, like TCP. Check out :
http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
In order to prevent thwe rule base from growing long
If you are running DNS on NT, don't make the NT box a member of your domain.
-Original Message-
From: Will Schwartz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 12, 2000 3:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [FW1] Best practice: DNS location
I would have your public DNS on
Since many of us are really interested in what other colleagues use to
do audits and or ethical hacking, it would be nice if people can share
their arsenal of network security tools (free and Commercial). Which
tool do you use the most ? Which platform do you use ? ect. This would
help many (inclu
I have recently installed FW-1 4.1 SP2 on a Solaris 2.6 box. Since
installation I have been receiving Virtual Defragmentation Errors every 60
seconds indicating anywhere from ten to several thousand dropped packets
per minute reported on the loopback interface. Can anyone tell me why there
is suc
My general rule is to put anything that the outside world accesses in my
DMZ. In my network this means a separate network connected to a different
interface of the firewall. That is not always possible but as a general
rule, you want to keep the outside world out of your internal network.
Yo
I would have your public DNS on a DMZ. I would house your private DNS on the
LAN. The Public DNS should only contain the DNS records that you absolutely
need to run, your internal DNS can have the rest. No one should connect to
your internal DNS from the outside. You can setup a forwarding on you
Hi there,
has anyone implemeted a 3-legged FireWall installation with DirecPC using
static NAT's for SMTP and HTTP?
Thank you
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Frank
Darden
Sent: Thursday, October 12, 2000 8:36 PM
To: 'Tom Sevy'; Check Poin
Title: mime stripping
Group,
What all products will do MIME stripping? I see references about the SMTP resource doing the stripping, but what is use to be the SMTP resource?
Thanks in advance,
Vincenzo
Yeah you need static routes, or run like gated or routed so your firewall learns where
stuff is automatically. You can just setup gated ( I run gated) and list all the
static routes, or pass routing info like rip or whatever to your firewall...
Rodney Lacroix wrote:
> I started receiving a TO
The reason someone setup the 10.0.0.0 255.0.0.0 for the default route was so
the firewall would send ALL packets destined for the 10.x.x.x network to
your internal router, then the router could handle it from there.
You either need to change the mask back, or add a seperate network entry for
EVE
Currently using FW 4.0 on an NT 4.0 network.
Our ISP wants us to install our own DNS and use them as secondary.
My question is where the DNS should be: should it be on our firewall server
or on our internal network. We are using NAT.
=
I started receiving a TON of SYN Defender messages today, mostly originating from my
remote WAN sites to other web sites (all remote WAN sites route through us for
Internet access).
I made the following change: My firewall's subnet on the internal interface was
incorrect (255.0.0.0 vs. 255.2
We are having a problem with clients coming into our FTP server getting hung
on ftp sessions using any browser. We are running CheckPoint 4.0 SP7 on Sun
2.6 with the latest patches. After applying several of the ftp fixes, the
High Port TCP Services and FTP, the FTPPORT match solution and the
F
Hello Listers,
Can some one tell me what CA servers does check point firewall 1 supports.
All i could find from the configuration is entrust.
Rgds
Junaid
To unsubscribe from this mailing list, please see t
Thanks for the input David, its a reasonable way of doing it, but I suppose
what I really wanted to know is...
Is there any way of getting in securely without modifying the guiclients
file?
If not then it is a real 'wish list' item for Check Point (do they respond
here?)
Paul
--
This is the way we do it using the Enterprise edition with the management console
using SSH on UNIX. In addition, this is the "quick and dirty" method. A more
elegant solution is to use PKI, LDAP, RADIUS, etc.
Install
1. Create a group that contains the userids that should be allowed to acces
Because the list would grow to be too long
-Original Message-
From: Reynolds, Tom [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 12, 2000 12:57 PM
To: 'Tom Sevy'; 'Dan Hitchcock'; 'Scott Becker'
Cc: FW-1 Mailing List (E-mail)
Subject: RE: [FW1] Ping of Death
If you know who
Before UDP encapsulation was available (SP2, SecuRemote 4165) we had tested
the DirecPC and found that it did not work with SecuRemote. I would be
interested to know if it now works with the SP2 UDP encapsulation technique.
Try upgrading both your firewall, and SecuRemote client, and let us all k
Greetings,
I need some information about Checkpoint firewall-1 deplayment
in an internetworking enviroment.
How does Firewall -1 work with switches and routers ( for example :
Alcatel OmniSwitch/Router ).
I have a network with a firewall-1 machine as internet security gateway.
And i want to use
If you know who the clients are, why use "any" when you could define their
IPs as an object and only allow that object to ICMP?
Thomas E. Reynolds
Pilgrim Baxter and Associates
Network Engineering
PHONE: 610-578-1581
[EMAIL PROTECTED]
-Original Message-
From: Tom Sevy [mailto:[EMAIL PR
enable one way ping.
<*>-Original Message-
<*>From: Tom Sevy [mailto:[EMAIL PROTECTED]]
<*>Sent: Thursday, October 12, 2000 12:29 PM
<*>To: 'Dan Hitchcock'; 'Scott Becker'
<*>Cc: FW-1 Mailing List (E-mail)
<*>Subject: RE: [FW1] Ping of Death
<*>
<*>
<*>
<*>Unfortunately we have clients t
Has anyone found a way of running the GUI clients (policy/log/status) when
connected via Securemote.
The problem is with the 'cpconfig' setup and what to put in the 'GUI
Clients' without breaking security but not knowing what IP your coming in
on.
Paul
---
Yes, it is possible to get the username from the firewall. You don't get it
forwarded but you can poll the FW-1 for this information.
But you have to do some programming.
You can use the UserAuthority API from the OPSEC SDK to get the user
information from the firewall.
I think there is a sample
Title: ATM-card on Solaris FW??
Hi,
has anyone set up a Solaris Firewall with a ATM-card???
If so, how did it go, how does it work and wich ATM-card are you using.
With regards,
Arnor Arnason
Specialist - LAN / WAN
MS Electrical Engineer
E-mail:
I stand (or sit :) corrected! Thanks for the info, Steve. In fact, it
appears that Long ICMP gets dropped automatically in v3.0 or later - I
should've known that one. The service Steve mentions, however, is useful
for logging ping-of-death attempts.
On another note, another list member mentio
Got a really tricky one here.
I have a Firewall at HQ with three
interfaces:
LAN, DMZ and INTERNET.
A remote Firewall with LAN and INTERNET
only.
I have successfully established a VPN between
LANs.
However I want to establish a VPN between the
remote LAN and the DMZ at HQ.
The
Unfortunately we have clients that insist on being able to ping our hosts
for status.
-Original Message-
From: Dan Hitchcock [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 12, 2000 11:51 AM
To: 'Scott Becker'
Cc: FW-1 Mailing List (E-mail)
Subject: RE: [FW1] Ping of Death
Why on e
dude its a total piece of cake, check out the link
http://support.checkpoint.com/service/publisher.asp?id=55.0.4222079.2607206
if that dont work its the public config doc's section on checkpoint site.
just create a new service, other, define it as
for match put:
icmp, (ip_off&0x2000)
use what na
When FW-1 prompts an internet user for a username and password, is it
possible to tell FW-1 to forward the username (maybe in http headers) to the
http server if the authentication is successful ??
Please, answer yes,no or not likely, but I need an answer.
Thank you in advance.
__
Has anyone been able to get SecuRemote to work when using DirecPC?
We have one person here that has DirecPC at home, running Win/ME, we use 4.1
SP1 (sp2 soon) on Nokia.
To unsubscribe from this mailing list,
Do not open the e-mail "[FW1] US PRESIDENT AND FBI SECRETS =PLEASE VISIT =>
(http://WWW.2600.CO M)<=".
It contains MEROUOQ.GIF.vbs.
Can somebody from this list find out who that joker is?
Than M Maung
To un
Luckily I have remote ADMIN access to all my machines. I have a batch file
I run every so often that looks for these programs. I get a report of them
and remotely uninstall them.
Another option is to use something like Zenworks or SMS. Figure out where
the registry keys are created for these
Why on earth would you want to allow PING from ANY? If you must do this,
ping of death is one of the associated risks. The best you can do is make
sure the OS on all ping-able boxes has all the latest security patches
applied.
Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc. (formerly empl
Hello,
I would like to know if there is a way to convert a logviewer exported log
to ASCII.
I know I can convert the firewall log to ASCII, but I exported the a log
using the logviewer and the same command does not work.
any help would be appreciated.
FW-1 4.1
NT 4.0
Danny
Private & Confidential. Please conduct appropriate routine virus checks.
Hi all
We've had the same problem. The way we got around this was by either
creating a new hardware profile or removing the IP configuration wh
Hi
I have been tasked with connecting a second E1 connection to a spare
interface on an existing firewall, this circit will be from the same ISP as
the existing line.
The circuit will be connected via a second router and will use a second IP
address. The circuits will not be acting as a single
I've seen this with various vpn products and in my case its always been
the nic, pop the nic and that has always worked for me. Try doing
a tracroute on the laptop while at home and see which adapter its using.
Dan Hitchcock wrote:
If
the machine already has an address bound to any of its adapt
Does anyone know what are differences between the New SecuRemote SP2 and Windows
2000 Native IPSec client.
I need to know the pro and cons.
The reason is we are trying to decide what type of client to use for a VPN
solution (Windows 2000 builtin IPsec client or Check Points)
We currently have
Hi,
Since there seems to be more support for a discussion of FullCluster vs.
Rainwall, and more people have voiced interest than dissent, I wanted to clarify
some points made by Mr. Decker in response to our analysis. As the Check Point
mailing list is for OPSEC and other FireWall-1 related i
Firewalls sometimes offer "Management" a false sence of security. Years ago
I had a manager who thought his plain old misconfigured firewall would block
anything from coming into his network, including viruses, trojens and worms.
He didn't have a clue. :)
Thomas E. Reynolds
Pilgrim Baxter and
You can block Gnutella if you only permit proxy based services (security
servers) and possibly inspect based services through your firewall. If you
allow connections based only on a tcp port you have lost. If you dont have
an internal dns server, then have a look at the sp2 release notes for
set
Hi everybody!
Ive got an irritating problem with my Nokia-IPSO.
I cant get the sendmail command to work.
In properties setup/log and alert/, ive typed, /bin/mailx -s 'FireWall-1
Alert' [EMAIL PROTECTED]
It doesnt work!!
When i try to send mail from the FW, manually, with the -V (verbose) i ty
Indeed. It is absolutely amazing how often we get e-mail virii on
*firewall* mailing lists. Why would somebody bother to buy and install
an expensive firewall if they have e-mail software that executes every
piece of hostile code that comes in the mail?!? I mean, hello? Is anybody
ho
The Stealth rule is a rule protecting your firewall. Basically drop ANY
communications to the firewall's IP address.
the cleanup rule is just a "drop all" "any" "any". which will deny ANY
traffic if it does not meet a rule or property. This is a very necessary
rule in your rulebase because the f
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
Regards,
Stephen
-Original Message-
From: Ronnie Rosenthal [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 12, 2000 10:41 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [FW1] Re: Ace Server/F
The routing for this connection was handled by a default route, and I have
since put in a specific host route.
The route counter increases when this connection is used, so:
We know it decrypts
We know it routes
We know it doesn't translate
So does any know of a
Thanks for the replies.
I have always used stealth and cleanup rules and was just suffering from a
bout of temporary insanity when I posted my question.
-Original Message-
From: Andrew [mailto:[EMAIL PROTECTED]]
Sent: 12 October 2000 15:12
To: Murphy, Paul
Cc: [EMAIL PROTECTED]
Subject
See http://www.wittys.com/files/all-ip-numners.txt . At the bottom of
that document, I list all of the IP protocol numbers. For example, TCP
is IP protocol number 6, etc., etc.
IP Protocol 94 is IP in IP encapsulation (used by FWZ, I believe)
IP Protocol 50 is SIPP-ESPSIPP Encap Security
Stealth rule hides the firewall from all systems and subnets not explicitly
allowed to talk directly to it.
Any FW DropLog
Rules to allow FW administration and routing protocols, and anything that by
it's nature requires to talk directly to the firewall itself, should be
placed abo
Try putting a cleanup rule at the top of your rule list!
-Original Message-
From: Murphy, Paul [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 12, 2000 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [FW1] Stealth rule and LDAP question
Hold on, what is the difference between a stealth
So what does protocol values 94, 50 and 51 actually mean?
Thanks, Ronnie.
>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED], [EMAIL PROTECTED]
>Subject: RE: [FW1] Re: Ace Server/FW1 Question
>Date: Wed, 11 Oct 2000 21:27:23 -0500
>
>Am having the same problem and got this back from Checkpoint su
The message you sent contains a virus that has been removed by my antivirus,
please stop to post mail like this here !
> Francis THELLIER
>
>
> -Message d'origine-
> De: Örjan Sjöström [SMTP:[EMAIL PROTECTED]]
> Date: jeudi 12 octobre 2000 13:48
> À:'fw mailing list'
> Objet:
Hold on, what is the difference between a stealth rule and a cleanup rule?
Paul.
-Original Message-
From: Rodney Lacroix [mailto:[EMAIL PROTECTED]]
Sent: 12 October 2000 12:39
To: [EMAIL PROTECTED]
Subject: [FW1] Stealth rule and LDAP question
Question:
My firewall had never had a
When you create a site using secure remote, you point to management module
to retrieve the topology. Does anyone know if there is an issue if
managament module is behind NATed address (static of course)?.
Thanks in advance!
gg
___
group
is there any good resources on the web that explain in detail how to set up
a VPN between Firewall-1 and SecuRemote ie what options to select, what
objects to create...
many thanks
richard
_
Common Service Agency Disclaim
My firewall has 3 interfaces - one external, one internal, and one for a DMZ where I
have two servers sitting.
In my log file, I continue to see requests from external hosts and internal hosts to
the DMZ interface (we are on a 10.x network, and the DMZ interface is 192.168.x). The
requests a
Hi World,
I have to install fw´s in China and India.
Has someone any experiences in China or India with
DES or 3DES encryption ?
Or any other worth knowing experiences in this context ?
:-)
Thanks in advance
Peter
===
Things seem to be missing, for example in user properties i do not have an
encryprion tab, any ideas?
Cheers
Richard
-Original Message-
From: Daniel Corod [mailto:[EMAIL PROTECTED]]
Sent: 12 October 2000 13:07
To: Thornton, Richard
Subject: Re: [FW1] Firewall-1 4.1 VPNs
You need stii
Hi,
I've just upgraded my licences from DES to 3DES and am now having problems
with SecureClient (Licences are all in place for both products)
Does anyone know if it's possible to use 3DES for site to site VPN's and
only DES to clients using SecureClient.
I can't see any option on the "client
I have asked this one before, to a deafening silence, but my problem still
exists and my vendor and Checkpoint don't seem to have many ideas.
There is a VPN between ourselves and a supplier, both running FW1 4.0 on
Sun, using DES3.
They are sending a print job to us. The packet arrives at the
VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
** Virus Warning Message (on the network)
MEROUOQ.GIF.vbs is removed from here because it contains a virus.
*
Question:
My firewall had never had a stealth rule (I inherited it). I posted the other day
about where I should put it considering I had a VPN in place, and it was decided that
it should go under the authentication rules. Done.
Since doing so, my logs are showing that my LDAP server commun
Hi,
Since I upgraded to FW1 4.2 SP2, I am getting alot of log enteries from my
NT management station where packets are being blocked on port 42342 under
rule 0. Can anyone help me eliminate these messages. In fwui_head.def I have
already changed the following:
added -- #define ALLOW_NO
On Wed, Oct 11, 2000 at 07:42:33PM -0500, Rodrick Brown wrote:
:
:
: Sorry, but im still lost
:
: here is my setup
:
: [Internet]
: |
: [CheckPoint -Solairs FireWall Box]
: ||
: [WebServer 192.168.0.2] [DB Server 192.168.0.3]
: |___
Group
Our company purchased Firewall Internet Gateway/25 with DES what more do I
need to get to allow 100 SecuRemote clients to connect to it?
When I do a "fw ver" i get the following:
This is Checkpoint VPN-1 & Firewall-1 version 4.1 build 41490 VPN + DES
Thanks for your time
Many Thanks
R
Hi,
I hope this is an easy one and I'm just overlooking something.
I have a SecuRemote client configured and it can fetch the topology of
the encryption domain.
in my experimental rulebase I have two rules:
securemote-test@any anyHTTP->CVP-Resource client-encrypt
securemote-test@an
is this a securid question or a securemote question?... or both!
declan
_
Get your free E-mail at http://www.ireland.com
OriginalBody.htm
Greetings,
I need some information about Checkpoint firewall-1 deplayment
in an internetworking enviroment.
How does Firewall -1 work with switches and routers ( for example :
Alcatel OmniSwitch/Router ).
I have a network with a firewall-1 machine as internet security gateway.
And i want to use
Hi, does anyone know where to find the command line syntax to launch the
reporting client in a batch file ?
Pascal
To unsubscribe from this mailing list, please see the instructions at
http
Hi!
Could someone help me with a solution
I have Checkpoint FW-1 3.0b
I have 25 internal hosts allowed and I have 25 real hosts in my network
How could I can improve my hosts number on my network or on my firewall
software!
Thanx
===
Hi
Is there a way to configure FW-1 ver4.1 to
pass
packets with IP options set?
Thanks, Naor.
please reply to [EMAIL PROTECTED]
Anyone,
For the past week and a half I have started to get the following two error
messages in the NT error log on a 5 minute regular basis.
As a background prior to the actuall error messages :
CP FW-1 SP1, NT4 SP5, 348MB RAM, 2*9GB disks.
Win2K WS running Webtrends Firewall Suite v2.0b.
Rule
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
objects.C, when compiled and downloaded appears to be a file called
$FWDIR/state/local.objects
I haven't had a good look at the file, but that is my best guess. It
would appear that on the management module, a set of files is created
which is replic
90 matches
Mail list logo
