Sounds to me like whatever host you are trying to connect to at
171.10.1.1 wants to initiate traffic. It sees your initial attempt,
accepts that, then, due to the application, initiates a whole new
session. Appears to be similar to a 3rd party site to site VPN I needed
to set up a few years back which also required both an inbound and
outbound rule. I know the traffic is http/https, but I'm guessing you
can get to other http/https sites without a problem. It has to be this
host that is the problem.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of fico
gid
Sent: Sunday, March 04, 2007 8:34 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] why do i need returning rules???
Hi there,
Im using ngx R61 a single gateway and this is a new setup.
I have installed the rule as below :
src=10.0.0.1 , dst=171.10.1.1 svc=http/https allow
when i install the rule above the source can't communicate with
destination and i see drops stating the rule is dropped because the TCP
packet out of state. First packet isnt SYN tcp_flags:SYN-ACK.
so what i did was , i disabled the "Drop TCP out of packet" from
Stateful inspection and installed the rule again.
This time i didn't get the above error, instead the traffic is being
dropped by cleanup rule :
Next I did a returning rule as below :
src=171.10.1.1 , dst=10.0.0.1 svc=any allow
now once i installed this, the communication works.
Has anyone experienced this before ? I know this sounds silly but its
happening right now infront of me.. Unless I have missed something.
Please help as Im running out of time.
regards
Fico.
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
