On 5/16/06, sanjay naik <sanjaynaik@xxxxxxxxxxx> wrote:
When a scan is intiated from the Inside interface of Checkpoint firewall, the firewall responds with bogus information intermittently. I would like to submit the following bug for Checkpoint:
I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a default configuration of VPN-1. Here is how a scan of a Internet host looks from a box behind the firewall. Port 21 is closed and port 80 is open on the Internet host. # nmap -sT -P0 -v -p 21,80 192.36.x.x ... Interesting ports on public.host.net (192.36.x.x): PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http tcpdump says everything is sane, ftp attempt: 21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441 0,sackOK,eol> 21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0 http attempt: 21:04:08.390810 IP proxy1.58059 > public.http: S 2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441 0,sackOK,eol> 21:04:08.394968 IP public.http > proxy1.58059: S 1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 885493884 761562441> 21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304 <nop,nop,timestamp 761562445 885493884> 21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304 What CheckPoint products are enabled on the firewall ? What are the SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN Attack protection" is enabled the firewall does what it's told to do. After x packets/timeout it will switch to SYN relay mode and will do the three-way handshake on behalf of the destination host. This feature is normally only enabled on the external interface. "It's not a bug, it's a feature" -- Pawel Worach Security Specialist, SDO Networks NP/IBM Sweden