Firewall Wizards mailing list archives
Checkpoint rule 0 "unknown est. tcp connection" drops
From: <black () galaxy silvren com>
Date: Tue, 7 Aug 2001 10:43:22 -0400 (EDT)
Preamble: I checked phoneboy's site and also checkpoint, the only solution was to simply disable the syn rulebase matching, which I eventually did and it did in fact take care of the problem. However, I think that the syn rulebase matching in general is seriously broken. Here are the details: In Checkpoint 4.1 they implement the syn rulebase match -- basically meaning that the firewall will only pass TCP traffic after it's seen a full syn->ack handshake. Right after I installed my firewall, I started seeing tons of rule 0 drops in the logs, with the given info being "reason: unknown established TCP packet" I thought "okay, this is normal, after a few minutes these messages should go away as these old connections time out and new ones are established through the firewall." The problem should basically take care of itself. Well, it didn't. I let it go for a full day and had just as many rule 0 drops when I first put the firewall in as I did 24 hours later. I know that Checkpoint has a TCP session timeout which will remove a connection from the state table if it's idle for longer than the timeout. I set the timeout to 3600s. Users were complaining that interactive telnet sessions were dropping. I also saw SMTP traffic being dropped because Checkpoint thought it was an "unknown established." Since when does an SMTP connection go idle for an hour? Obviously, something is not behaving as it should (interactive telnets and SMTP should not be getting dropped due to timeouts). Does anybody else use the syn rulebase matching, or do you have it disabled? Did you encounter this problem? The only solution I found was to turn syn rulebase matching off entirely. Checkpoint 4.1/SP4 running on the Nokia IP650 platform. Any information would be most beneficial. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 06)
- Re: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Paul Cardon (Aug 07)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Andrew Huffer (Aug 08)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Paul Cardon (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)