Yep I know, the actual configuration is really absurd (I mean I'm paying
lotsa money to have kinda kernel 2.2 linux firewall)... This is, as you
guessued, a big installation and, yes, there's an async routing (I mean the
"returning" connections pass thru a different interface). In your opinion,
how can I check if the syncronozation is working correctly ?(I'm using Nokia
with VRRP and, as far as I know, the nodes switch correctly from one to
another. CP is configured with VRRP and there's a syncro net with a
heartbeat interface. The only difference in my config with Nokia's suggested
one is that the two IP appliances are linked via a crossed cable instead of
a switch).
Thanx in advance
Lorenzo
-----Messaggio originale-----
Da: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Per conto di
Charalambos
Klitiropoulos
Inviato: martedì 26 luglio 2005 23.54
A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Oggetto: Re: [FW-1] R: [FW-1] Inverted Connections
Disabling stateful inspection will convert a (expensive) stateful firewall
into a plain packet filtering firewall. Could there be a case of
asynchronous routing (where incoming packets take a different route than
outgoing)? Maybe a high availability configuration with non-working
synchronization? Please note that I have seen drops like that in the past
(confirmed without asynchronous routing), but every case was in a large
installation and the percentage of dropped connections was far too low to be
a real problem for the users.
On 7/26/05, Lorenzo <satana AT libero DOT it> wrote:
>
> Yes. It's seen as out of state... Obviously if I disable the check on
> stateful TCP packets the connection works...
>
> -----Messaggio originale-----
> Da: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Per conto di
> Charalambos Klitiropoulos
> Inviato: lunedì 25 luglio 2005 21.31
> A: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Oggetto: Re: [FW-1] Inverted Connections
>
> Hello,
>
> is there any information in the information column? There can be cases
> where
> FW-1 will drop a connection because of an invalid TCP packet or
> because of a SmartDefense setting. Even if that connection was
> originated by HOST1, but
> SERVER1 sent a packet that FW-1 does not consider to be correct, the
> drop log entry will show that source was SERVER1 and destination was
> HOST1. But in every such case you should see some comment in the
> information column that explains why FW-1 dropped that packet.
>
> On 7/25/05, Lorenzo <satana AT libero DOT it> wrote:
> >
> > Hi guys
> > Does anybody has had the same problem ?
> > Basically, I'm exptecting a connection from HOST1 to SERVER1 on TCP
> > port, let's say, 6000. This happens, but sometimes I see on the
> > tracker that there are some connections from SERVER1 to HOST1, with
> > a "random" destination port and 6000 as source port.
> >
> > I'm wandering if this could be a CheckPoint problem....
> >
> > Thanx in advance
> >
> > Lorenzo
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions
> > at http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription
> > options, email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options,
> email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options,
> email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
