Dear John,
your definition of the action "reject" is incorrect:
In the case of ident the definition of "reject" is NOT to send an
ICMP port unreachable but instead an IP packet with the original
target's IP address and with the RST flag set in its TCP header.
This is because ident is TCP based. Then - by definition - CP FW-1
sends out TCP resets. Not so in case of UDP traffic. Since UDP is
connectionless FW-1 sends out ICMP port unreachable messages to the
sender. In case of any other protocol it behaves as if the action was
"drop" instead of "reject".
Ref: Check Point VPN-1/FireWall-1 Administration Guide page 272
Hans
At 23:30 29.08.00 -0700, John Hovell wrote:
>Ilya --
>
>Ilya Akinfiev wrote:
>
> > I believe this could be accomplished by Reject'ing the 'ident' service from
> > certain destinations, rather than Drop'ping it...
>
>Well, there is a subtle difference here... A "reject" is by definition an ICMP
>port_unreachable message... more like a "UDP virtual session reset" if you want
>to think of it that way. I was more hoping to find a tcp reset (as it is part
>of 1 tcp conversation and is logged as such)... also if the other auth/ident
>server has a firewall itself it may not be accepting ICMP.
>
>Also, sending only to hosts that have an established tcp session would be really
>cool :-).
>
>Thanks,
>John
>
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of John
> > Hovell
> > Sent: Tuesday, August 29, 2000 10:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] Ident/auth reset (RST) for Checkpoint?
> >
> > Hello all --
> >
> > I was browsing the web on mail archives and such; and came across
> > this... Does anyone know how this works... how to implement this?
> >
> > At 07:29 5/08/98 -0700, blast wrote:
> > >On Wed, 5 Aug 1998, Udo Willke wrote:
> > >it would be very nice to have a feature by which
> > >you could send back a RST when denying a packet. This ofcourse would
> > be a
> > >keyword specified in coordination with some deny rule. If you really
> > want
> > >to get tricky, you can allow me to specify which idents I want to RST
> > close
> > >based on some previous Layer4 session that invoked the ident. :-)
> > >This way, the issue of latency caused by a hanging IDENT request would
> > be
> > >RST'ed closed as if the ident service was not available and the host's
> > kernel
> > >just sent you back the RST. (Checkpoint's Firewall-1 allows you to
> > specify
> > >a RST when denying certain packets by use of a keyword) Again, very
> > useful
> > >when a protocol is hanging and you just want to RST the darn thing
> > away.
> >
> > I don't know exactly what this guy is talking about... Anyone have any
> > idea exactly how to go about this (if possible)? I am running
> > Checkpoint 4.1 SP2.
> >
> > Thanks!
> >
> > Cheers,
> > - John
> >
> > ============================================================================
> > ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ============================================================================
> > ====
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
