Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5

[Blue Boar <BlueBoar () thievco com>]

> Would not the OS itself crash without the FW kernel module loaded whena UDP
> scan was initiated?  When the machine is running without the FW active, it
> stays up fine. 

Sounds like you answered your own question. :)  All the evidence suggests
that the fault is in the firewall code.  If a KLM dies, it's perfectly
capable of taking the kernel with it.  At least when I've done it on
Solaris.. I assume Linux is the same.

> I've tried the -T Paranoid switch; the system crashes with the VERY FIRST
> UDP packet, regardless of which port it's sent to.  I subsequently
> re-enabled icmp, as a "before last" implied rule... And I see this:
> Initiating UDP Scan against  (64.80.176.11)
> 12:43:34.168842 nmap_source.58153 > fw_under_test.973:  udp 0
> 12:43:34.274503 fw_under_test > nmap_source: icmp: 64.80.176.11 udp port 973
> unreachable
>
> And that's the last packet I get from the machine.

Meaning it crashes?  Seems strange, you'd think Checkpoint would have
tried a UDP packet before they shipped...

Can anyone else confirm the results?

> If I run nslookup on nmap_source, set my server to fw_under_test, and
> attempt to resolve something (even though fw_under_test is not running a
> nameserver), the fw_under_test does not crash.  It merely replies with udp
> port unreachable and stays up.

Must be something in particular with the conetns of the packet NMAP sends.

                                                BB