The following is a list of verifications performed by the FireWall-1 firewall module for a rule with the services column set to "Any", such as in the following sample rule:

SOURCE: Any (or specific network object)
DESTINATION: Any (or specific network object)
VPN (IF VIA): Any Traffic
SERVICE: Any
ACTION: accept
TRACK: Log

------------------------------------------------------------
1) TCP State Verification

Firewall-1 performs the following TCP state verification checks:

a) Make sure first packet is a SYN - This check can be overridden by un-checking the "Drop out of state TCP packets" check box in the Stateful Inspection page of the Global Properties. However, disabling this enforcement can result in bad consequences. When the policy is rule has the source set to "Any" and the destination set to "Any", this will generally work, but in this case make sure no network address translation is involved.

b) TCP handshake verification - If installing a new High Availability configuration (or CPLS) - these checks are irrelevant. Otherwise, note that the Firewall-1 firewall module rejects any server-to-client ACK packet which is a direct response to a previous SYN. This should not affect connectivity. However, to be on the safe side, this verification can be overridden by setting the kernel global parameter fw_allow_out_of_state_syn_resp from 0 to 1.

c) SYN-ACK on closing connection - The Firewall-1 firewall module drops (and logs) a SYN-ACK packet that arrives after a client-to-sever RST. While this scenario is generally not expected, it can happen when the server is a Linux 2.4.18 machine (as a result of a bug in Linux TCP stacks). The bug is not in any way related to the platform of the Firewall-1 firewall module. This check cannot be overridden, and it does not affect connectivity, but drop logs are generated.

------------------------------------------------------------
2) TCP Flags Sanity

The Firewall-1 firewall module verifies that TCP flags are compliant with the RFC. In general, this means that each packet (except for SYN and RST) must have the ACK flag set, and that a SYN packet is not accompanied by illegal flags (such as RST and
FIN). This check cannot be overridden. There is one exception, where the Firewall-1 firewall module allows SYN-RST packets, but this is reserved for certain non-RFC compliant IBM printers.

------------------------------------------------------------
3) Fragments Reassembly

The Firewall-1 firewall module reassembles all IP fragments of a certain packet before processing it. Once a fragment is encountered, there is a certain timeout in which additional fragments are allowed for the same packet. Once the timeout is exceeded and one or more fragments of a certain packet are missing, the fragments being held are dropped. This check cannot be overridden.

------------------------------------------------------------
4) TCP/UDP Port 0

Packets with either destination or source port 0 are dropped. There are some applications that use this port, but this problem is rarely encountered. This check can be overridden by setting the kernel global parameter fw_allow_udp_port0 and fw_allow_tcp_port from 0 to 1, but this is not recommended, unless the an actual problem is encountered.

------------------------------------------------------------
5) Stateful ICMP

The Firewall-1 firewall module makes sure that each ICMP reply matches a previous request, and that each ICMP error matches an existing connection. Out of state ICMP packets are dropped and logged. With FireWall-1 NG FP3 HF2 there is no way to override this check. This
may affect the ICMP connection if there is some kind of asymmetric routing (ie. load sharing) happening in the setup.

------------------------------------------------------------
6) Server-to-client Old Packets

Once the security policy is reinstalled, all connections are marked as "old". A server-to-client non-TCP packet that matches an old connection is dropped. This is true for UDP connections, and also for ICMP replies/errors. This behavior cannot be overridden.

------------------------------------------------------------
7) ICMP Redirect Packets

ICMP redirect packets are not allowed by default. To enable ICMP redirects, set Firewall-1 kernel global parameter fw_icmp_redirects from 0 to 1.

------------------------------------------------------------
8) Source Equals Destination

The Firewall-1 firewall module drops packet which have identical source and destination IP addresses. This check cannot be overridden.

------------------------------------------------------------
9) Cluster Member Pings

The Firewall-1 firewall module does not allow pings to a cluster gateway virtual IP and a real IP of a gateway that is a member of the cluster gateway simultaneously. Several tools perform such simultaneous pings. There is a support solution for this matter (available
since HFA 315), which can be enabled by setting the kernel global parameter fw_allow_simultaneous_ping from 0 to 1.

------------------------------------------------------------
10) Packet Length Sanity

The Firewall-1 firewall module makes sure that each IP packet has a length of at least 20 bytes for the IP header and a minimal header size per protocol (20 additional bytes for TCP/UDP, 8 additional bytes for ICMP). This check cannot be overridden.

------------------------------------------------------------
11) Tear Drop, Ping of Death and Land attack

In general, these attacks have very specific characteristics, and enforcing them should not cause connectivity problems to "valid"
traffic. These checks cannot be overridden.

------------------------------------------------------------
12) FTP

The Firewall-1 firewall module makes sure that an FTP port command contains the IP of the command's sender. It also makes sure that each FTP command terminates with a newline (this verification may cause problems to old implementations which send keep-alive packets). To disable these checks the "Match for 'Any'" check box can be unchecked in the "Advanced" configuration of the FTP service. This solution does not apply when there is network address translation involved, however.

------------------------------------------------------------
13) Anti-Spoofing

Once the topology of the firewall module is defined and anti-spoofing enabled, the Firewall-1 firewall module starts to perform anti-spoofing checks. To disable anti-spoofing checks, set the Firewall-1 kernel global parameter fw_antispoofing_enabled from 1 to 0. Even when the topology is not defined yet, the Firewall-1 firewall module performs local interface anti-spoofing checks. This means the Firewall-1 firewall module verifies that no packet on the inbound chain has a source IP that matches one of the gateway's IP addresses. This can be overridden by setting the kernel global parameter fw_local_interface_anti_spoofing from 1 to 0. Local interface anti-spoofing is somewhat problematic on both Windows and Linux, so in case the Firewall-1 is firewall module is installed on one of these platforms and drops are to be avoided, disabling this check can be considered. There is also the loopback interface anti-spoofing, which cannot be overridden, but this should not cause problems.