 | ||
 Change Packets Blocked by SAM from Reject to Drop | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2005-08-13 | |||
| |||
 Change Packets Blocked by SAM from Reject to Drop Change Packets Blocked by SAM from Reject to Drop Connections or packets dropped with 'fw sam' or 'block intruder' appear to reject the packets instead of drop. This can be viewed as a bad thing, as it gives information, specifically yes I am a firewall and I am now blocking you. If you get right down to it, it should "vanish" the packets. Vanish makes sure the TCP renegotiation mechanism never occurs. The code responsible for this is in $FWDIR/lib/code.def on the management station (at least in 4.1). You'll see the following in the code: followed by a bunch of #define and define statements. Then you will see: reject ( ... ); The [...] will contain a bunch of refences to SAM functions. Simply change the "reject" to "drop" or "vanish" and reload your policy. -- PhoneBoy - 11 Jan 2004 FAQForm FAQs.Class: MiscellaneousFAQs FAQs.OS: FAQs.Version:  |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
