[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Something to watch out for

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Something to watch out for
From: Ryan Russell <Ryan.Russell@sybase.com>
Date: Wed, 21 Apr 1999 23:54:49 -0700


Here's one more thing to add to the list of stuff that one
might forget to check with FW-1.  It made sense after I found it,
but I'm sending this asuming that other folks may miss this
just like I did.

I got an e-mail indicating that one of my firewalls was sending
a packet again and again to an external site.  The address
on my end was one of my external NAT addresses.  The packet
was destined for portmapper (UDP 111.)

So, the obvious thing to do was check my logs.  I showed no such
packet going out.  In fact, I showed nothing going to that
site at all.  I check the previous day just in case.  Nothing
there either.  (I turn my logs over every night.)

So I write back that it didn't appear to be coming from me.  They
wrote back to indicate they're still getting it, please stop it.
I check again, still nothing in the logs.  They say they're
getting hundreds of these per minute.  I'm starting to think
that someone is spoofing their packets, using one of my addresses
as a source for whatever reason.

So, I figure let's assume my logs are broken somehow, and
double check.  So I run snoop on the external interface.  I immediately
stop the offending packets.. lots of them.

Doh!

So, I give it some thought.  I do a fwstop; fwstart.  I check the
logs.  One entry for the packets in question.

This confirmed what I was afraid of.  If a "connection" is
established, be it TCP or UDP (for those who don't
know.. FW-1 imposes the concept of a session on
UDP traffic internally) that connestion creates one
log entry.  It doesn't matter how many packets go
though, it's still one log entry.  It doesn't matter if that
connection goes on for days... it's still only one log entry..
as long as it doesn't stop for several minutes.

It makes perfect logical sense... it's just that the
implications aren't super clear.

So, the moral of the story is that if you have an internal
machine that goes nuts and sends the same packet
over and over again, and you're looking for it in your logs..
You're not looking for hundreds of log entries, you're
looking for one.. and you don't know how far back you
need to look.

Just something to file in the back of your head in
case it bites you someday.

                    Ryan




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Account Management Module
Next by Date: Re: [FW1] More Memory for FW1 Kernel
Prev by thread: Re: [FW1] Radius
Next by thread: Re: [FW1] Something to watch out for
Index(es):
- Date
- Thread