[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Unexplained log entries
jvieira@dmr.com wrote:
>
> This weekend several ISPs started sending icmp and udp packets to my firewall
> and the machines on my DMZ. The logs showed that the packets were dropped.
> However, later log entries showed that the firewall itself was replying to icmp
> and udp packets to the same ip addresses that earlier were dropped. Now if the
> intial packets were dropped how did the FW know to reply to them? Since I have
> a rule that drop any packets originating from the FW the logs showed them as
> dropped. However, the logs also showed that the packets destined for the FW
> were dropped aswell but obviouly that wasn't the case otherwise the FW would be
> replying to them.
I've seen and documented this myself. Kinda weird. The firewall would
"claim" that it is dropping traffic from a specific external host and
then the next recorded sessions where a number of internal routers
responding to that system. Obviously the firewall was passing traffic
even though it claimed to be dropping it.
I posted the log to this and a few other lists with no avail. Since then
I've started adding additional filters to my client's border routers.
Seems to have "patched" the problem but I'm unaware of a true fix.
If you hear something, let me know.
Chris
--
**************************************
cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================