Checkpoint – Problems with Stateful Inspection of TCP Connections

Problems with Stateful Inspection of TCP Connections :: Chapter 6. Common Issues :: Check Point FireWall

in NG FP3 and above, you can revert back to the pre4.1 SP2 behavior by going into the Global Properties frame, Stateful Inspection tab, and unchecking the “Drop out of state TCP Packets” box. In NG FP2 and before, use dbedit as described in FAQ 4.2 and enter the following commands:

dbedit> modify properties firewall_properties
               fw_allow_out_of_state_tcp 1
dbedit> update properties firewall_properties


Configuring FireWall1 to Allow OutofState Packets for Specific TCP Services

Some application vendors use TCP connections in ways that do not follow the standards documented in RFC793. Since FireWall1 attempts to enforce strict adherence to the standards, applications that do not comply will have difficulties communicating through FireWall1 or any other stateful packet filter. NG FP2 and above provide a functionality that allows TCP packets for a specific port number even if they do not conform to Check Point’s idea of state. This allows outofstate TCP packets for specific services provided the packets would normally be passed by the rulebase. To do this, edit $FWDIR/lib/user.def on the management station and add a line of code (set in bold) within the following context:

#ifndef __user_def__
#define __user_def__

// User-defined INSPECT code

deffunc user_accept_non_syn() { dport = 22 };

#endif /* __user_def__ */

The INSPECT code between the curly braces defines the service(s) you wish to allow. The preceding example is SSH (TCP port 22). To define multiple services?for example, SSH (port 22), https (port 443), and ldap (port 389)?replace the bold line in the preceding example with this one:

deffunc user_accept_non_syn() { dport=22 or dport=443 or dport=389 };

To permit nonSYN packets between hosts a.b.c.d and x.y.z.w in addition to nonSYN packets on port 22, use the following:

deffunc user_accept_non_syn() { (src=x.y.z.w, dst=a.b.c.d) or
                                (src=a.b.c.d, dst=x.y.z.w) or
                                dport=22 };

(See Chapter 14 for more information on INSPECT.) If the rulebase is constructed carefully enough, the firewall should be relatively safe from an ACKtype DoS attack because all packets allowed by this change must still pass the rulebase.

  • Edit $FWDIR/lib/base.def on the management station. Add the following bolded lines within the context shown:

    deffunc ftp_port_code() {
    ftp_intercept_port(CONN_ONEWAY_EITHER) or (IS_PASV_MSG,reject or 1)
    deffunc ftp_pasv_code() {
    ftp_intercept_pasv(CONN_ONEWAY_EITHER) or (IS_PORT_CMD,reject or 1)
    deffunc ftp_bidir_code() {
    deffunc ftp_code() {
  • Edit $FWDIR/conf/tables.C on the management station as follows (changes are set in bold):

    : (protocols
           :table-type (confobj-dynamic)
           :location (protocols)
           :read_permission (0x00000000)
           :write_permission (0x00040000)
           :queries (
                  :all (*)

    Note that table-type will be changed from confobj-static to confobj-dynamic.

  • Start the FireWall1 management station with cpstart.

  • Use dbedit to enter the following commands:

    dbedit> create tcp_protocol FTP_BI
    dbedit> update protocols FTP_BI
    dbedit> modify protocols FTP_BI handler ftp_bidir_code
    dbedit> modify protocols FTP_BI match_by_seqack true
    dbedit> modify protocols FTP_BI res_type ftp
    dbedit> update protocols FTP_BI
    dbedit> quit



This entry was posted in CheckPoint. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s