[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Unexplained log entries

To: cbrenton@sover.net
Subject: Re: [FW1] Unexplained log entries
From: jvieira@dmr.com
Date: Mon, 26 Apr 1999 15:24:17 -0400
Cc: fw-1-mailinglist@softwhisper.us.checkpoint.com

I believe I have figured out a possible answer

I removed the 'Accept Domain Name Queries' from rule0 (fw properties).  Now
default is that option is selected and set to first.  This means that and Domain
name queries will be processed before looking at the rule set.  Now if you have
address resolution set on the FW log this means that everytime a new machine
tries to access your protected network the FW will try to resolve the ip address
to a Domain name.  With the default setup the firewall will succeed and no log
entries will be made of the FW resolving the ip address.  However, with my new
setting.  The name query done by the firewall will have to pass through the rule
base first.  Since their is a specific rule that disallows the FW from sending
out any packets of it own, the name query will be dropped and logged.

Atleast this is what I think is hapenning.  If I'm right than there is no point
in having the log viewer try to resolve ip# to name.

Joe

Chris Brenton <cbrenton@sover.net> on 04/26/99 12:39:09 PM

Please respond to cbrenton@sover.net

To:   Joseph Vieira/DMR/CA@DMR-CANADA
cc:   fw-1-mailinglist@softwhisper.us.checkpoint.com
Subject:  Re: [FW1] Unexplained log entries

jvieira@dmr.com wrote:
>
> This weekend several ISPs started sending icmp and udp packets to my firewall
> and the machines on my DMZ.  The logs showed that the packets were dropped.
> However, later log entries showed that the firewall itself was replying to
icmp
> and udp packets to the same ip addresses that earlier were dropped.  Now if
the
> intial packets were dropped how did the FW know to reply to them?  Since I
have
> a rule that drop any packets originating from the FW the logs showed them as
> dropped.  However, the logs also showed that the packets destined for the FW
> were dropped aswell but obviouly that wasn't the case otherwise the FW would
be
> replying to them.

I've seen and documented this myself. Kinda weird. The firewall would
"claim" that it is dropping traffic from a specific external host and
then the next recorded sessions where a number of internal routers
responding to that system. Obviously the firewall was passing traffic
even though it claimed to be dropping it.

I posted the log to this and a few other lists with no avail. Since then
I've started adding additional filters to my client's border routers.
Seems to have "patched" the problem but I'm unaware of a true fix.

If you hear something, let me know.
Chris
--
**************************************
cbrenton@sover.net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] How does SSL work?
Next by Date: RE: [FW1] Firewall-1 4.0 and Implicit Authentication
Prev by thread: Re: [FW1] Unexplained log entries
Next by thread: [FW1] Copy FireWall-1 Objects and Rules from FW-1 3.0a to 4.0SP2
Index(es):
- Date
- Thread