Hello Ilya,
IA> 1 On the Management Module, open the file $FWDIR/lib/fwui_head.def
IA> 2 Uncomment the line:
IA> /*#define ALLOW_NON_SYN_RULEBASE_MATCH */
I would not recommend doing that, because tell me if I'm wrong but
apart from the state table entry that gets added, it looks like
putting all protocols in "fast mode".
Also, all services behind the firewall become vulnerable
to ACK flood (stream.c, ...)
Well to put it short : suicide. (So was fastmode anyway.)
I was shocked to read how crappy was the stateful inspection in 4.0
and I do think the way 4.1 SP2 works is finally the way it should.
Except for UDP, that still needs some SERIOUS rethinking, hell, their
entire security model on UDP relies on the fact that "your hosts should
never send a packet spontaneously to a bad guy" ! How lousy.
Anyway. Responses coming after the timeframe (3600sec by default)
should be dropped, non syn packets as well. I don't care about the
shitload of lins that get dropped. It is unwanted traffic for me.
OTOH, I would uncomment the line about ICMP violation, as with default
config firewall doesn't even add a single log line if you're under
a massive "pingflood" (smurf) attack or stuff like that.
(smurf : echo replies you never asked, that is.)
Smurf will come back in the air for another couple of month
since netscan updated their DB.
FW1 needs some serious tweaking before going live in any serious
environment. It's powerful but still comes with questionnable default
config.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
