[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Something to watch out for

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Something to watch out for
From: Hakan UNSAL <hunsal@intellect.com.tr>
Date: Thu, 22 Apr 1999 11:34:56 +0300


I suppose Active Connections mode of Log Viewer might be helpful while
tracking  the source of such complaints.

Hakan

At 23:54 21.04.1999 -0700, Ryan Russell wrote:
>
>Here's one more thing to add to the list of stuff that one
>might forget to check with FW-1.  It made sense after I found it,
>but I'm sending this asuming that other folks may miss this
>just like I did.
>
>I got an e-mail indicating that one of my firewalls was sending
>a packet again and again to an external site.  The address
>on my end was one of my external NAT addresses.  The packet
>was destined for portmapper (UDP 111.)
>
>So, the obvious thing to do was check my logs.  I showed no such
>packet going out.  In fact, I showed nothing going to that
>site at all.  I check the previous day just in case.  Nothing
>there either.  (I turn my logs over every night.)
>
>So I write back that it didn't appear to be coming from me.  They
>wrote back to indicate they're still getting it, please stop it.
>I check again, still nothing in the logs.  They say they're
>getting hundreds of these per minute.  I'm starting to think
>that someone is spoofing their packets, using one of my addresses
>as a source for whatever reason.
>
>So, I figure let's assume my logs are broken somehow, and
>double check.  So I run snoop on the external interface.  I immediately
>stop the offending packets.. lots of them.
>
>Doh!
>
>So, I give it some thought.  I do a fwstop; fwstart.  I check the
>logs.  One entry for the packets in question.
>
>This confirmed what I was afraid of.  If a "connection" is
>established, be it TCP or UDP (for those who don't
>know.. FW-1 imposes the concept of a session on
>UDP traffic internally) that connestion creates one
>log entry.  It doesn't matter how many packets go
>though, it's still one log entry.  It doesn't matter if that
>connection goes on for days... it's still only one log entry..
>as long as it doesn't stop for several minutes.
>
>It makes perfect logical sense... it's just that the
>implications aren't super clear.
>
>So, the moral of the story is that if you have an internal
>machine that goes nuts and sends the same packet
>over and over again, and you're looking for it in your logs..
>You're not looking for hundreds of log entries, you're
>looking for one.. and you don't know how far back you
>need to look.
>
>Just something to file in the back of your head in
>case it bites you someday.
>
>                    Ryan
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] More Memory for FW1 Kernel
Next by Date: [FW1] How do rpc rules work?
Prev by thread: [FW1] Something to watch out for
Next by thread: Re: [FW1] Something to watch out for
Index(es):
- Date
- Thread