Re: [FW1] Ident/auth reset (RST) for Checkpoint?

Tue, 29 Aug 2000 23:31:40 -0700 


Ilya --

Ilya Akinfiev wrote:

> I believe this could be accomplished by Reject'ing the 'ident' service from
> certain destinations, rather than Drop'ping it...

Well, there is a subtle difference here... A "reject" is by definition an ICMP
port_unreachable message... more like a "UDP virtual session reset" if you want
to think of it that way.  I was more hoping to find a tcp reset (as it is part
of 1 tcp conversation and is logged as such)... also if the other auth/ident
server has a firewall itself it may not be accepting ICMP.

Also, sending only to hosts that have an established tcp session would be really
cool :-).

Thanks,
John

>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of John
> Hovell
> Sent: Tuesday, August 29, 2000 10:31 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Ident/auth reset (RST) for Checkpoint?
>
> Hello all --
>
> I was browsing the web on mail archives and such; and came across
> this... Does anyone know how this works... how to implement this?
>
> At 07:29 5/08/98 -0700, blast wrote:
> >On Wed, 5 Aug 1998, Udo Willke wrote:
> >it would be very nice to have a feature by which
> >you could send back a RST when denying a packet.   This ofcourse would
> be a
> >keyword specified in coordination with some deny rule.  If you really
> want
> >to get tricky, you can allow me to specify which idents I want to RST
> close
> >based on some previous Layer4 session that invoked the ident. :-)
> >This way, the issue of latency caused by a hanging IDENT request would
> be
> >RST'ed closed as if the ident service was not available and the host's
> kernel
> >just sent you back the RST. (Checkpoint's Firewall-1 allows you to
> specify
> >a RST when denying certain packets by use of a keyword)  Again, very
> useful
> >when a protocol is hanging and you just want to RST the darn thing
> away.
>
> I don't know exactly what this guy is talking about... Anyone have any
> idea exactly how to go about this (if possible)?  I am running
> Checkpoint 4.1 SP2.
>
> Thanks!
>
> Cheers,
> - John
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to