Allowing specific TCP services to be established in the connections table without enforcing the 'Out of State' mechanism
 

In FireWall-1 NG FP2 it is possible to write a special INSPECT function that will enable types of TCP connections (Services) to be established in the connections table without enforcing the 'Out of State'. Disabling this mechanism for a specific Service will mean that Non Syn packets that do not belong to an established connection in the FireWall's connections table will not be dropped but rather matched against the RuleBase.

Example below (for connection establishment only!) for Telnet service

--------------------------------------------------------------------
PROCEDURE:
1) On the Management Server stop the VPN-1/FireWall-1 services by typing at prompt: cpstop
2) Backup the $FWDIR/lib/user.def file
3) Edit the user.def file as follows: (port 23 is an example and should be your specific port)


#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

/* INSPECT modification - sk11088 */
deffunc user_accept_non_syn() { dport = 23 };
/* End of INSPECT modification */

#endif /* __user_def__ */

4) Save changes and close the user.def file.
5) Start the VPN-1/FireWall-1 services by typing at prompt: cpstart
6) Log into Policy Editor and install the policy.

NOTE:
Changes to .def files are relevant for a specific version/release and not supported with other releases unless specifically noted. All changes to .def files will be overwritten when upgrading to a new feature pack, service pack, or new version.

Alternatively it might be helpful to get the firewall to send a RESET to the client that sent the out of state packet to get it to tear down the connection and re-establish a new one. To do this add :fw_reject_non_syn (1) below :fw_allow_out_of_state_tcp (0) in the objects_5_0.C file.

example.

:fw_allow_out_of_state_tcp (0)
:fw_reject_non_syn (1)

11TH JAN 2005 JIM PARKER

< back