How can I disable everything in the rulebase properties in FireWall?-1 4.1?

[roadrunner]

How can I disable everything in the rulebase properties in FireWall?-1 4.1?
Despite the fact that Check Point has made the defaults more sensible in 4.1, it is a good idea to disable those properties which you do not need. Let us look at each property that can be disabled.

Accept FireWall-1 Control Connection: This means allow various FireWall-1 Modules to communicate via FireWall-1 communication ports. Prior to 4.1, it allowed any host to access FireWall-1 on TCP ports 256, 257, and 258. In 4.1, it only allows these connections from the appropriate hosts as defined in $FWDIR/conf/masters and $FWDIR/conf/gui-clients as appropriate. This also allows your firewall to be accessable on TCP port 256 and/or TCP port 264 from anywhere.

If you wish to uncheck your property, you will need the following rules (as appropriate for your situation):

Source Destination Service Action Install-On Comment
all-cp-modules all-cp-modules FW1
FW1_log Accept all-firewalls Permits FireWall-1 traffic between all management and firewall modules (should be installed eitherbound).
gui-clients management-console FW1_Mgmt Accept gateways Permits those with GUI access to access the management console to modify the security policy.
Any management-console FW1 Accept gateways Necessary when setting up a VPN or allowing SecuRemote 4.0 Clients to fetch their encryption domain.
Any management-console FW1_topo Accept gateways Necessary for Secure Client 4.1 and later clients wish to fetch their encryption domain from a FireWall-1 4.1 management console.
Any firewall-modules FW1_rdp Accept gateways While RDP may be a pre-defined service (it's called RDP), you will need to create a new definition for it as a service of type Other if you disable FireWall-1 control connections. This is necessary to permit FWZ encryption to work. For the fields in this new service, input the following:

Match: udp, dport=259
Prologue: accept_fw1_rdp;


Accept UDP Replies: Check Point puts a "virtual state" on top of UDP to permit UDP connections through the firewall. By disabling this property, you are effectively disabling the "virtual state." In this case, you will need to create the necessary UDP services that permit the "reply" packets in.

Accept Outgoing Packets: This property refers to packets leaving the gateway, whether they originate from the firewall or they are routed by the firewall. This property is required when "Apply Gateway Rules to Interface Direction" is "Inbound" else packets will never leave the gateway. This property can be disabled by setting "Apply Gateway Rules to Interface Direction" to Eitherbound (outbound is not recommended).

Enable Decryption on Accept: This will cause FireWall-1 to decrypt packets that it receives encrypted even if there is no explicit rule listing encryption. Note that there still must be a valid rule in the rulebase if the packet is to be accepted through the rulebase. This can be disabled with no ill effect.

Accept RIP: If you are running RIP on your firewall and you require the ability to communicate with other routers via RIP, this property must be checked. Most people who run dynamic routing protocols run OSPF, so this property can generally be safely disabled. If you do need to run RIP but do not wish to use this property, the following rules must be in your rulebase:

Source Destination Service Action Install-On Comment
firewall-modules rip-routers
rip-broadcast rip
rip-response Accept all-firewalls Permits RIP traffic between all firewall modules, routers, and appropriate broadcast addresses (should be installed eitherbound).
rip-routers firewall-modules
rip-broadcast rip
rip-response Accept gateways Permits RIP traffic from all routers to broadcasts and firewalls.


Accept Domain Name Queries (UDP): This permits all UDP port 53 traffic from anywhere to anywhere. This is actually a very dangerous setting and should be disabled since non-DNS traffic (such as BackOrifice) could easy use UDP pot 53. Instead, rules of the following form should be added:

Source Destination Service Action Install-On Comment
dns-clients dns-servers domain-udp Accept gateways Permits DNS traffic between the appropriate clients and servers.


Accept Domain Name Downloads (TCP): This is only necessary if your primary and secondary DNS servers are seperated by your firewalls. Again, a dangerous default that should be disabled. In this case, you will add a rule like the following to permit traffic:

Source Destination Service Action Install-On Comment
dns-clients dns-servers domain-tcp Accept gateways Permits DNS traffic between the appropriate clients and servers.


Accept ICMP: You can generally disable this property, though you will need to leave it enabled to take advantage of Check Point's Stateful Inspection for ICMP in 4.0. See How to allow only outbound ping and traceroute requests? for more details.

-- PhoneBoy - 14 Jan 2004


FAQForm
FAQs.Class: SmartClientsFAQs
FAQs.OS:
FAQs.Version: 4.1