Re: CheckPoint FW1 BUG

[ipfreely () NEWHACKCITY NET (NHC Research)]

While doing some testing on Firewall-1 4.0 NT SP4 a few months ago, we
came across a similar situation. We felt it was not worthy of an advisory
because it is effectively a misconfiguration issue, although it is the
default configuration upon initial install.

Scenario:
One firewall machine, 2 NICs (one for untrusted net, one for trusted net).

Configuration:
NT 4.0 SP6a
Firewall-1 NT 4.0 SP4

Steps 2 Repro:
1. Install FW-1, define one subnet for each physical NIC.
2. From either network, send a SYN packet to the IP of the firewall, port
1032. ('telnet firewallip 1032', or 'nmap -sS -p 1032 firewallip')

Result:
        One of the running instances of the fw.exe service goes to 100%.

Why is this not a bug?
        Because the first thing the "wizard" does for you is to block all
traffic directly to the firewall, this should not be an issue for most
people. This is a really good thing, because FW-1 listens on an obscene
number of ports in a default installation.

If anyone can retest against FW-1 4.1 SP1, I'd be interested to see if
this minor problem still exists. Does anyone have an official contact for
Checkpoint to report security related issues?