Re:

["jsg" <jgerrits () enteract com>]

Joel,

----- Original Message -----
From: Joel Snider <joel_snider () yahoo com>
To: <firewall-wizards () nfr net>
Sent: Friday, December 03, 1999 7:38 AM


> I have been using a Checkpoint Firewall-1 to protect
> my DMZ from the Internet.  Since installation I have
> noticed that my webservers which are on the DMZ behind
> the firewall seem to be connecting to multitudes of
> Internet host unsolicited.

Are you sure that the firewall is connecting to these hosts and not the
hosts connecting through your firewall?  If anything the firewall should be
protecting your DMZ.

> The destination port seems
> to be random, but often increments.  The source port
> from web servers is always 80 or 443.

These ports that you listed are http (80) and https (443).

>  As I have added webservers this condition has gotten unbearable
> because of the massive amount of info in the log
> files.  I do not allow unlimited access from the DMZ
> to the Internet so these packets are getting dropped
> at the firewall. I have checked with the web
> developement team and they say that they are not doing
> anything with the servers that would cause this.  I
> know that I could filter out these events and not log
> them, but I want to understand what is happening first
> and look for other alternatives.  Please let me know
> if you have seen this before.

In regards to packets being dropped from the DMZ to the Firewall I would
recommend to only allow HTTP, and HTTPS out from the DMZ.  Then if nbt is
source of the drops create rule and drop without logging.  NBT is used for
name resolution.

Good Luck,
JSG

> Thanks...
> __________________________________________________
> Do You Yahoo!?
> Thousands of Stores.  Millions of Products.  All in one place.
> Yahoo! Shopping: http://shopping.yahoo.com

__________________________________________
NetZero - Defenders of the Free World
Get your FREE Internet Access and Email at
http://www.netzero.net/download/index.html