Quite a little rant there..
It seems that you are in a unique situation there. I would have a much easier job if I could just let the firewall drop packets and not worry about if they were actually something we wanted back in...
We had this exact issue after moving to SP2. Packets that were need to keep processes alive were getting dropped. So we had clients who felt their production applications were broken.
It turned out, the uncomment resolved this issue for us. I agree that it is a security issue, but since we didn't have that protection before it was a no brainer.
If the dropped packets are not causing your customers noticeable problems, keep the protection.. Every decision you make about your security is this way. Thanks for your input!
Joe
Title: Re[2]: [FW1] unkown established TCP packet
Hello Ilya,
IA> 1 On the Management Module, open the file $FWDIR/lib/fwui_head.def
IA> 2 Uncomment the line:
IA> /*#define ALLOW_NON_SYN_RULEBASE_MATCH */I would not recommend doing that, because tell me if I'm wrong but
apart from the state table entry that gets added, it looks like
putting all protocols in "fast mode".
Also, all services behind the firewall become vulnerable
to ACK flood (stream.c, ...)Well to put it short : suicide. (So was fastmode anyway.)
I was shocked to read how crappy was the stateful inspection in 4.0
and I do think the way 4.1 SP2 works is finally the way it should.
Except for UDP, that still needs some SERIOUS rethinking, hell, their
entire security model on UDP relies on the fact that "your hosts should
never send a packet spontaneously to a bad guy" ! How lousy.Anyway. Responses coming after the timeframe (3600sec by default)
should be dropped, non syn packets as well. I don't care about the
shitload of lins that get dropped. It is unwanted traffic for me.OTOH, I would uncomment the line about ICMP violation, as with default
config firewall doesn't even add a single log line if you're under
a massive "pingflood" (smurf) attack or stuff like that.
(smurf : echo replies you never asked, that is.)Smurf will come back in the air for another couple of month
since netscan updated their DB.
FW1 needs some serious tweaking before going live in any serious
environment. It's powerful but still comes with questionnable default
config.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
