In message <[EMAIL PROTECTED]>, "Eliyah Lovkoff" writes:
Eliyah,
First I'm going to make an assumption that you're talking about FW-1. And
then I'll also say that I haven't played with that beast for almost 2
years now.
>As long as I understand reasons for droping packets on rule 0 are:
>1.Connectiones established before policy was loaded
>2.Connections established before fw was loaded.
The IP stack running in the OS should take care of connections
established before fw is loaded.
Once fw is loaded, it denies all attempts to initiate any connection
before the policy is loaded. It's been quite some time since I last
played with any firewall that would log connections before it loaded
policy.
>3. Connections which were inactive longer than the timeout specified in policy
> properties.
These are rejected by the last rule -- the implicit deny all.
>I implemented some setup (alerts+rule) that allows me not to log those scannin
>g attempts,thus preventing my log from being overflooded.
>BUT: some port-scanning attacks are dropped on a rule 0 and that I cannot expl
>ain......
>Non of the reasons mentioned above don't look good enough to explain why those
> attaks are dropped by rule 0. If anyone has some info,please share it.
Sounds like you've set the IP Options Drop Track to log all the inbound
packets with IP options set?
Also, it is worth pointing out that implicit rules in FW-1 are a Bad
Thing for many reasons, one of them being you can't log most of the packets
that hit rule 0 and are accepted.
The other one (the most important one) is that they leave a hole size of
Texas in your firewall rules.
Cheers,
Saso
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
