 | ||
 connection dropped due stateful inspection | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-05-13 | |||
| |||
 connection dropped due stateful inspection Hi all, We have a diskless SPLAT distro with root mounted over NFS. If I activate Stateful inspection via TCP, then the NFS connection is dropped and system hangs because it is 'out of state'. How could I activate stateful inspection with this exception? Is it possible to view states (in netfilter is /proc/net/ip_conntrack? thanx  |
| 2008-05-13 | |||
| |||
| Re: connection dropped due stateful inspection hi mate i am not very clear with ur question though. but as far i could guess is that u want stateful inspection to be enabled but not for NFS service right . since cp is a stateful firewall by default and it will allow packets only on the base of stateful inspection there is no way u can disable stateful inspection for a service. i guess no firewall allows to disable stateful inspection. regards sebastan |
| 2008-05-14 | |||
| |||
| Re: connection dropped due stateful inspection hi, thanks for your post. In Linux you can play with iptables, applying state rules when you want. The problem with my SPLAT is that it is a diskless system booting from PXE and mounting root via NFS, hence first it makes a NFS connection and later it inserts fwmod module, so NFS connection results in an 'out of state'. I have seen that it is possible to include exceptions (but only gateways from a cluster, not a host like the NFS server). Is there another way to bypass the problem? Maybe inserting fwmod at bootstraping process, before mounting root via NFS? Regards |
| 2008-05-16 | |||
| |||
| Re: connection dropped due stateful inspection hi i guess there is no way u have the fwd on bootstrapping process. i guess if u are do it learning purpose then might as well install a hard disk and get the splat working smoothly it will save a lot of time and effort. regards sebastan |
| 2008-05-18 | |||
| |||
| Re: connection dropped due stateful inspection Hi sebastian Thanks a lot for your reply. I have discover that the problem fix using UDP instead of TCP. Using TCP works too, but the boot process seems to hang up at /etc/init.d/cpboot service, applying basic policies. But the system continue boot process after 6 or 7 minutes, maybe because the NFS restore the TCP connection and then it become a 'legal' connection. I will investigate NFS tunning to get down thi time. Thanks. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
