Re: [FW-1] R: [FW-1] Inverted Connections

Subject:	Re: [FW-1] R: [FW-1] Inverted Connections
From:	Charalambos Klitiropoulos <klitiro AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 27 Jul 2005 00:53:51 +0300

Disabling stateful inspection will convert a (expensive) stateful firewall 
into a plain packet filtering firewall. Could there be a case of 
asynchronous routing (where incoming packets take a different route than 
outgoing)? Maybe a high availability configuration with non-working 
synchronization? Please note that I have seen drops like that in the past 
(confirmed without asynchronous routing), but every case was in a large 
installation and the percentage of dropped connections was far too low to be 
a real problem for the users.

On 7/26/05, Lorenzo <satana AT libero DOT it> wrote:
> 
> Yes. It's seen as out of state... Obviously if I disable the check on
> stateful TCP packets the connection works...
> 
> -----Messaggio originale-----
> Da: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Per conto di 
> Charalambos
> Klitiropoulos
> Inviato: lunedì 25 luglio 2005 21.31
> A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Oggetto: Re: [FW-1] Inverted Connections
> 
> Hello,
> 
> is there any information in the information column? There can be cases 
> where
> FW-1 will drop a connection because of an invalid TCP packet or because of 
> a
> SmartDefense setting. Even if that connection was originated by HOST1, but
> SERVER1 sent a packet that FW-1 does not consider to be correct, the drop
> log entry will show that source was SERVER1 and destination was HOST1. But
> in every such case you should see some comment in the information column
> that explains why FW-1 dropped that packet.
> 
> On 7/25/05, Lorenzo <satana AT libero DOT it> wrote:
> >
> > Hi guys
> > Does anybody has had the same problem ?
> > Basically, I'm exptecting a connection from HOST1 to SERVER1 on TCP
> > port, let's say, 6000. This happens, but sometimes I see on the
> > tracker that there are some connections from SERVER1 to HOST1, with a
> > "random" destination port and 6000 as source port.
> >
> > I'm wandering if this could be a CheckPoint problem....
> >
> > Thanx in advance
> >
> > Lorenzo
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription options,
> > email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, 
> email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] multiple subnets, J Jayavenkatesh Re: [FW-1] multiple subnets, Timothy Arnold Re: [FW-1] multiple subnets, Loge VK Re: [FW-1] multiple subnets, J Jayavenkatesh Re: [FW-1] multiple subnets, Loge VK Re: [FW-1] multiple subnets, J Jayavenkatesh [FW-1] Inverted Connections, Lorenzo Re: [FW-1] Inverted Connections, Charalambos Klitiropoulos [FW-1] R: [FW-1] Inverted Connections, Lorenzo Re: [FW-1] R: [FW-1] Inverted Connections, Charalambos Klitiropoulos <= [FW-1] R: [FW-1] R: [FW-1] Inverted Connections, Lorenzo Re: [FW-1] R: [FW-1] R: [FW-1] Inverted Connections, Charalambos Klitiropoulos [FW-1] R: [FW-1] R: [FW-1] R: [FW-1] Inverted Connections, Lorenzo Re: [FW-1] multiple subnets, Quick, Richard A. Re: [FW-1] multiple subnets, Huiqi_Liu Re: [FW-1] multiple subnets, Dave Row

Previous by Date:	[FW-1] Check Point SecuRemote, Stefan Schweizer
Next by Date:	Re: [FW-1] VPN with Juniper using Dynamic IP, Martin Hoz
Previous by Thread:	[FW-1] R: [FW-1] Inverted Connections, Lorenzo
Next by Thread:	[FW-1] R: [FW-1] R: [FW-1] Inverted Connections, Lorenzo
Indexes:	[Date] [Thread] [Top] [All Lists]