Firewall Wizards mailing list archives
RE: Checkpoint rule 0 "unknown est. tcp connection" drop s
From: <black () galaxy silvren com>
Date: Wed, 8 Aug 2001 10:14:31 -0400 (EDT)
There is no Linux is our organization (unfortunately). The only platforms are Novell servers, and Microsoft for servers and workstations. As far as Microsoft goes, there's a little of everything: 95, NT 4 workstation and server, 2000 professional, server, advanced server. Every type of server and workstation is represented in the drops. It doesn't appear to be coming from any one flavor of OS. I'll be opening a case with Checkpoint soon. Did you disable syn rulebase matching as well? On Wed, 8 Aug 2001, Karl Vogel wrote:
Hi, I have the same problem here, loads of rule 0 "reason: unknown established TCP packet" drops. We're running Checkpoint 4.1 on NT. Those log entries seem to be generated more for Linux based machines, so maybe there is some incompatibility with the Linux TCP stack and the stateful inspection of Checkpoint?! What platform(s) are your protected servers running on?! Linux, Unix, Windows?! (I mean your DMZ servers, or internal clients that make connections through the firewall). -----Original Message----- From: black () galaxy silvren com [mailto:black () galaxy silvren com] Sent: Tuesday, August 07, 2001 16:43 To: firewall-wizards () nfr com Subject: [fw-wiz] Checkpoint rule 0 "unknown est. tcp connection" drops Preamble: I checked phoneboy's site and also checkpoint, the only solution was to simply disable the syn rulebase matching, which I eventually did and it did in fact take care of the problem. However, I think that the syn rulebase matching in general is seriously broken. Here are the details: In Checkpoint 4.1 they implement the syn rulebase match -- basically meaning that the firewall will only pass TCP traffic after it's seen a full syn->ack handshake. Right after I installed my firewall, I started seeing tons of rule 0 drops in the logs, with the given info being "reason: unknown established TCP packet" I thought "okay, this is normal, after a few minutes these messages should go away as these old connections time out and new ones are established through the firewall." The problem should basically take care of itself. Well, it didn't. I let it go for a full day and had just as many rule 0 drops when I first put the firewall in as I did 24 hours later. I know that Checkpoint has a TCP session timeout which will remove a connection from the state table if it's idle for longer than the timeout. I set the timeout to 3600s. Users were complaining that interactive telnet sessions were dropping. I also saw SMTP traffic being dropped because Checkpoint thought it was an "unknown established." Since when does an SMTP connection go idle for an hour? Obviously, something is not behaving as it should (interactive telnets and SMTP should not be getting dropped due to timeouts). Does anybody else use the syn rulebase matching, or do you have it disabled? Did you encounter this problem? The only solution I found was to turn syn rulebase matching off entirely. Checkpoint 4.1/SP4 running on the Nokia IP650 platform. Any information would be most beneficial. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Checkpoint rule 0 "unknown est. tcp connection" drop s Karl Vogel (Aug 08)
- RE: Checkpoint rule 0 "unknown est. tcp connection" drop s black (Aug 08)