Re: [fw-wiz] checkpoint authentication on external interface



It is accepting the packets.
I can get to the page from the outside world.
I don't see any logs for bad attempts.
I can sit here all day and put in bad passwords.

Frank


On Tue, Aug 25, 2009 at 6:28 AM, Jacson Querubin<spacial@xxxxxxxxx> wrote:
Frank,

The Checkpoint FW1 Gateways don't accept to apply the rule base from
external interface.

you can always do a fw monitor to see if it is droping or accepting the packets.

cheers

Jacson

On Mon, Aug 24, 2009 at 13:21, Francois Yang<francois.y@xxxxxxxxx> wrote:
I have looked at the implied rules and I do have an explicit rule to
deny all and I don't see anything that would allow this connection.
I even created a rule to block this and put it at the top and still
don't see any changes.

To answer the other emails, Yes, I'm sure I could put an ACL in the
front router to block access, but I was hoping to find a better
solution.

Frank




Hi Frank,
Even if the daemon is listening on the port, you still have to go through
the rulebase to be able to connect.
You should verify if the ports are allowed either in implied or explicit
rules. (try to enable the logs on the implied rules
for a short time to get some logs about the auth).

I recommend to use explicit rules and allow only from explicit sources.

I agree it's better if the daemon accepts connections only on internal IPs,
but for this you have to ask checkpoint how to do.

thanks

Frank
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. — White House Cybersecurity
Advisor, Richard Clarke
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. — White House Cybersecurity
Advisor, Richard Clarke
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Logs: Many hits with source port of 80
    ... I had checked my logs to see if there were any matching web sessions as ... usually these packets are a result of late packets arriving out of ... All hits have been from the same two hosts, ... > Subject: Logs: Many hits with source port of 80 ...
    (Incidents)
  • Re: DOD Inside
    ... Do you have logs of the actual packet contents or just these logs of the communication endpoints? ... What kind of a network is that router on? ... One remarkable fact about those packets is that the source port number is equal to 0x3434 in all cases and the destination port numbers were always quite near the 1024 boundary; except for one case, when it was port 139. ...
    (Incidents)
  • RE: Logs: Many hits with source port of 80
    ... > The hits from source port 80 to dest port 37852 are IMHO almost ... which sends a few packets to the other end of the ... > their load balancer pays you a visit - you might look for inbound ... >> the IP addresses in my logs. ...
    (Incidents)
  • Re: Harvested TCPs of hackers
    ... It alerts you when unsolicited packets arrive at your computer. ... TCP is a protocol, not an address. ... Crackers (those hackers who have turned ... D-Shield or MyNetWatchman accept router and firewall logs, ...
    (microsoft.public.security)
  • Re: computer misuse
    ... firewall logs, showing all incoming connections, all outgoing connections, ... There is no legal problem in keeping these logs. ... we need the logs of the outgoing packets so that if someone ... What we -cannot- do is blithely record packet streams *with the intent ...
    (comp.security.misc)