Firewall Wizards mailing list archives
Re: checkpoint authentication on external interface
From: Francois Yang <francois.y () gmail com>
Date: Tue, 25 Aug 2009 16:37:06 -0500
It is accepting the packets. I can get to the page from the outside world. I don't see any logs for bad attempts. I can sit here all day and put in bad passwords. Frank On Tue, Aug 25, 2009 at 6:28 AM, Jacson Querubin<spacial () gmail com> wrote:
Frank, The Checkpoint FW1 Gateways don't accept to apply the rule base from external interface. you can always do a fw monitor to see if it is droping or accepting the packets. cheers Jacson On Mon, Aug 24, 2009 at 13:21, Francois Yang<francois.y () gmail com> wrote:I have looked at the implied rules and I do have an explicit rule to deny all and I don't see anything that would allow this connection. I even created a rule to block this and put it at the top and still don't see any changes. To answer the other emails, Yes, I'm sure I could put an ACL in the front router to block access, but I was hoping to find a better solution. FrankHi Frank, Even if the daemon is listening on the port, you still have to go through the rulebase to be able to connect. You should verify if the ports are allowed either in implied or explicit rules. (try to enable the logs on the implied rules for a short time to get some logs about the auth). I recommend to use explicit rules and allow only from explicit sources. I agree it's better if the daemon accepts connections only on internal IPs, but for this you have to ask checkpoint how to do.thanks Frank _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards-- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- checkpoint authentication on external interface Francois Yang (Aug 20)
- Message not available
- Re: checkpoint authentication on external interface ml10110 (Aug 23)
- Message not available
- Re: checkpoint authentication on external interface pkc_mls (Aug 24)
- Re: checkpoint authentication on external interface Francois Yang (Aug 24)
- Re: checkpoint authentication on external interface Jacson Querubin (Aug 25)
- Re: checkpoint authentication on external interface Francois Yang (Aug 26)
- Re: checkpoint authentication on external interface Francois Yang (Aug 24)