RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5

[Yanek Korff <yanek () cigital com>]

> Checkpoint does crash when being portscanned. Well, sort of.
> Quite simply, when a (stateful) firewall, has too many 
> entries in the state table (IE it's full) then the box has problems.
> In the case of checkpoint (or at least, this was the case a 
> few versions ago) it will crash. (And incidentally, if you are 
> synchronising the state table with another firewall for the purposes 
> of failover, thenthey'll both crash).
> IIRC about 25000 connections will do this (less if you are using NAT)
> Checkpoint also holds the 'state entries' for 50 seconds after the
> connection is closed (IE FIN packets are seen), so you have a while to
> reach the magic number.
>
> My experience was with a Nokia IP440/Checkpoint 
> Firewall-4.1SP3, but it sounds as if the same situation may 
> be occuring.

Unfortunately, I don't think this is the case.  If a table were being filled
up, I'd expect the FW to stay up for some period of time before eventually
crashing.  Here are some relevant facts:

1. Linux FW crashes -immediately- before it has the opportunity to log a udp
packet with tcpdump
2. Scans complete successfully against NT 4.0 and Solaris-x86

-Yanek.