Eugene,
I am not an FW-1 expert, but I think the file fw.hosts are counted when they
originate from the internal interface which you set up in your FW-1 config.
So I would advice to make some Object of all your internal IP addresses and
make a decent anti-spoof rule so other ip addresses are blocked and not
counted as internal IP addresses.
The ip address 169.254.x.x is an auto configure IP addresses. Computers
sometimes get these IP addresses when they can't get an IP address from
a DHCP server that has to be in your network somewhere (MS uses this).
Blocking this IP range is something I always do because it's not a range
where legitimate traffic can get from especially when they originate form
the
internet (correct me if I am wrong).
There are a lot more ranges where you can question yourself it this traffic
is legitimate.
I have seen DDoS attacks from IP ranges that can be questioned. Either they
are
spoof IP addresses (nmap can do this for you) or they have hosts that are
owned by the attackers as a attack host but they caused to crash a system.
There is also a nice vulnerability to DoS your FW-1 4.1 sp 1 (and sp2 too
as far as I know) if they allow a limit amount of internal hosts. People
can DoS your FW-1 with generating a lot of traffic from (fake) internal IP
addresses
(let's say you have a limit of allowed internal hosts). FW-1 keeps up
somekind
buffer and if this is filled up FW-1 can crash. I think sp3 should solve
this problem
(or at least make it a bit more difficult to get the DoS working).
After a good audit it may even result in that you have to purchase a license
that allows more internal hosts. It all depends on your network design.
Hope this helped somewhat...
Regards,
Brenno
> -----Original Message-----
> From: Eugene Borukhovich [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 22 mei 2001 17:43
> To: [EMAIL PROTECTED]
> Subject: licensing issue
>
> I was hoping someone can help me out. I have a Nokia IP330 running
> checkpoint 4.1 SP1(licensed for 100users). Recently we started running
> into an issue of licensing with the following messages in
> /var/log/messages:
>
> May 21 15:37:39 corpfw [LOG_CRIT] kernel: FW-1: too many internal hosts
> (185) detected (followed by a list of IP addresses)
>
> Last week I had to bounce the firewall because no incoming requests were
> allowed in until the fw.hosts file was cleared. The first question I have
> is: Does the firewall stop forwarding incoming packets once the licensing
> is breached and how long does it take for that to start happening?
>
> The second question is this: I have maybe about 90 hosts (including
> servers, switches etc...) so technically I should be OK. But as I realized
> looking at the list of ip's I am getting a bunch of 169.254.x.x addresses
> and also AOL addresses as well as 10.x.x.x(which we get assigned when we
> VPN into our production network using Bay extranet Client) Is there any
> way that we can prevent the firewall to count those IPs as internal?
>
> Thanks for any help
> --------------------------------------------
> Eugene Borukhovich
> Systems
> V:212-401-3879
> E-Mail:[EMAIL PROTECTED]
> --------------------------------------------
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
