Re: [FW-1] drops on rule 995 for port 135?

Subject:	Re: [FW-1] drops on rule 995 for port 135?
From:	Martin Benuska <martin.benuska AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 21 Apr 2005 09:43:58 +0200

Hello,

Rule number 995 means that you had a bind/alter-context request with more
than one UUID in it.
We don't allow it by default as it been used on some attacks
but there is an inspect flag that allows it (and keep the security).

In $FWDIR/lib/dcerpc.def there is a flag

#define NO_ENFORCE_CNTX_NUM 0

That should be changed to

#define NO_ENFORCE_CNTX_NUM 1 

Regards.


On 4/20/05, Covington, Chris <ccovington AT plusone DOT com> wrote:
> 
> Hi all,
> 
> I've been killing myself researching an Active Directory replication
> problem and it turns out that FW-1 is the culprit:
> 
> Number: 7770
> Date: 20Apr2005
> Time: 13:43:18
> Product: VPN-1 & FireWall-1
> Interface: eth1
> Origin: fw1 (x.x.x.x)
> Type: Alert
> Action: Reject
> Protocol: tcp
> Service: 135
> Source: zor (10.20.6.3 <http://10.20.6.3>)
> Destination: saturn.plusone.com <http://saturn.plusone.com> 
> (10.0.2.5<http://10.0.2.5>
> )
> Rule: 995
> Source Port: 2853
> 
> Does anyone know how to allow this traffic to pass? What is rule 995
> anyway?
> 
> thanks
> ---
> Chris Covington
> IT
> Plus One Health Management
> 75 Maiden Lane Suite 801
> NY, NY 10038
> 646-312-6269
> http://www.plusoneactive.com
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [FW-1] drops on rule 995 for port 135?, DIOTTE, SHANNON S [FW-1] drops on rule 995 for port 135?, Covington, Chris Re: [FW-1] drops on rule 995 for port 135?, Martín Alcalá Rubí Re: [FW-1] drops on rule 995 for port 135?, Martin Benuska <= Re: [FW-1] drops on rule 995 for port 135?, Covington, Chris Re: [FW-1] drops on rule 995 for port 135?, Covington, Chris Re: [FW-1] drops on rule 995 for port 135?, Covington, Chris Re: [FW-1] drops on rule 995 for port 135?, Quick, Richard A.

Previous by Date:	[FW-1] AW: [FW-1] AW: [FW-1] drops on rule 995 for port 135?, Steinecke, Sven
Next by Date:	Re: [FW-1] VPN Advice, Timothy Arnold
Previous by Thread:	Re: [FW-1] drops on rule 995 for port 135?, Martín Alcalá Rubí
Next by Thread:	Re: [FW-1] drops on rule 995 for port 135?, Covington, Chris
Indexes:	[Date] [Thread] [Top] [All Lists]