[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] unknown established tcp packets...
Carl, I have set my TCP session timeout to 900 s in order to reduce the chances for DoS attack. We have users which connects to a system protected by the firewall either via Internet or private leased lines (terrestrial or VSAT). What I can tell is that the firewall became more sensitive to those connections where there is a high degree of packet loss. So you might experience this problem, too. I have to admit that I am pretty bothered by the number of dropped packets because of this. Cristian "Carl E. Mankinen" wrote: > > If you follow Ilya's link to security portal, you will see a thread that > pretty much exactly describes what I am seeing. I suspect this is a problem > in SP2. (or perhaps some default is a bit too sensitive) > > My TCP session timeout is quite high in my opinion, and I suspect that the > firewall is much more sensitive to delays in TCP sessions now. Seem's like > enough people are seeing the same symptoms as I am. > > I don't think it's part of any kind of scan because I have IDS running and > it's pretty obvious when people are even using an nmap stealth scan. It > looks more like parts of valid conversations based on the src/dest and > services. > > I am about to heat up an Internet connection via this firewall for a fortune > 500 company and there will be something around 600 users actually using this > firewall. I *really* don't want to start seeing sessions getting dropped all > over the place. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > Craig Skelton > Sent: Saturday, September 30, 2000 9:53 PM > To: Carl E. Mankinen; Cristian Nicolae > Cc: [email protected] > Subject: RE: [FW1] unknown established tcp packets... > > Send us a sample.. probably a scan of sorts. Maybe some os fingerprinting. > High numbers over long periods would definately concern me. Valid source > address? NT firewall? > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]]On Behalf Of Carl > > E. Mankinen > > Sent: Saturday, September 30, 2000 2:19 PM > > To: Cristian Nicolae > > Cc: [email protected] > > Subject: RE: [FW1] unknown established tcp packets... > > > > > > > > Yeah, I know that these are because there is no state table entry for the > > TCP session, > > and I know how to make these dropped packet messages go into the > > bit bucket, > > but that > > was not really what I was asking.... > > > > I was more interested if having a high number of these is normal or a > > symptom of a problem. > > > > > > -----Original Message----- > > From: root [mailto:root]On Behalf Of Cristian Nicolae > > Sent: Saturday, September 30, 2000 5:22 PM > > To: Carl E. Mankinen > > Cc: [email protected] > > Subject: Re: [FW1] unknown established tcp packets... > > > > > > Carl, > > Have a look at > > http://www.phoneboy.com/fw1/faq/0408.html on this problem > > Cristian > > > > "Carl E. Mankinen" wrote: > > > > > > I have been noticing since I upgraded to 4.1 SP2 that my logs > > are getting > > a lot more of these rule 0 drops than I had ever seen > > > before. > > > >From what I understand, this happens because the firewall is > > receiving a > > TCP packet with the established bit set and it has no > > > session information in it's state tables to verify that this is a valid > > conversation. > > > > > > Is this something that just happens a lot with TCP conversations and > > nothing to be concerned about, or is this a symptom of some > > > problem which I should pay closer attention too? The packets which are > > causing the rule 0 drop are invariably arriving at the > > > outside interface. > > > > > > I know I can prevent this from being logged, but I would rather > > make sure > > that I am not covering up a problem before I do this. My > > > interfaces on all my routers look really clean, and the settings on the > > firewall properties for TCP session timeouts is set for 30 > > > minuten. > > > > > > Could this be a problem with my fw dropping it's state table entries? > > > > > > > > ================================================================== > > ========== > > ==== > > > To unsubscribe from this mailing list, please see the > > instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > > ================================================================== > > ========== > > ==== > > > > > > > > ================================================================== > > ============== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================================== > > ============== > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|