Firewall Wizards mailing list archives

RE: Checkpoint rule 0 "unknown est. tcp connection" drop s


From: <black () galaxy silvren com>
Date: Wed, 8 Aug 2001 10:14:31 -0400 (EDT)

There is no Linux is our organization (unfortunately). The only platforms
are Novell servers, and Microsoft for servers and workstations. As far as
Microsoft goes, there's a little of everything: 95, NT 4 workstation and
server, 2000 professional, server, advanced server.

Every type of server and workstation is represented in the drops. It
doesn't appear to be coming from any one flavor of OS.

I'll be opening a case with Checkpoint soon.

Did you disable syn rulebase matching as well?

On Wed, 8 Aug 2001, Karl Vogel wrote:

Hi,

I have the same problem here, loads of rule 0 "reason: unknown established
TCP packet" drops. We're running Checkpoint 4.1 on NT.

Those log entries seem to be generated more for Linux based machines, so
maybe there is some incompatibility with the Linux TCP stack and the
stateful inspection of Checkpoint?!

What platform(s) are your protected servers running on?! Linux, Unix,
Windows?! (I mean your DMZ servers, or internal clients that make
connections through the firewall).


-----Original Message-----
From: black () galaxy silvren com [mailto:black () galaxy silvren com]
Sent: Tuesday, August 07, 2001 16:43
To: firewall-wizards () nfr com
Subject: [fw-wiz] Checkpoint rule 0 "unknown est. tcp connection" drops


Preamble:

I checked phoneboy's site and also checkpoint, the only solution was to
simply disable the syn rulebase matching, which I eventually did and it
did in fact take care of the problem. However, I think that the syn
rulebase matching in general is seriously broken.

Here are the details:

In Checkpoint 4.1 they implement the syn rulebase match -- basically
meaning that the firewall will only pass TCP traffic after it's seen a
full syn->ack handshake.

Right after I installed my firewall, I started seeing tons of rule 0 drops
in the logs, with the given info being "reason: unknown established TCP
packet"

I thought "okay, this is normal, after a few minutes these messages should
go away as these old connections time out and new ones are established
through the firewall." The problem should basically take care of itself.

Well, it didn't. I let it go for a full day and had just as many rule 0
drops when I first put the firewall in as I did 24 hours later. I know
that Checkpoint has a TCP session timeout which will remove a connection
from the state table if it's idle for longer than the timeout. I set the
timeout to 3600s.

Users were complaining that interactive telnet sessions were dropping. I
also saw SMTP traffic being dropped because Checkpoint thought it was an
"unknown established." Since when does an SMTP connection go idle for an
hour?

Obviously, something is not behaving as it should (interactive telnets
and SMTP should not be getting dropped due to timeouts). Does anybody else
use the syn rulebase matching, or do you have it disabled? Did you
encounter this problem? The only solution I found was to turn syn rulebase
matching off entirely.

Checkpoint 4.1/SP4 running on the Nokia IP650 platform.

Any information would be most beneficial.




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


Current thread: