CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Kill firewall connections

  1. #1
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    324
    Rep Power
    14

    Default Kill firewall connections

    A few days ago, I suddenly needed to delete some ongoing connections from the connections table so traffic could rematch cleanly against some new rules. I didn't want to cause all connections to rematch, so I wrote this brief script to dump the connections table, search for matches based on specified criteria, and offer to delete just those connections.

    I don't know of any issues with it. It is obviously destructive, as the whole purpose is to destroy table entries. I've tried to add some basic confirmation, but it's still your responsibility if you use it. I have only tested it a limited number of times.

    Code:
    #!/usr/bin/env bash
    
    printUsage()
    {
    	echo "Note: this script must be run as root."
    	echo ""
    	echo "Usage:"
    	echo "$0 [-s IP] [-S port] [-d IP] [-D port] [-P protocol]"
    	echo -e "\t-s IP\t\tSearch for the specified source IP address."
    	echo -e "\t-S port\t\tSearch for the specified source port."
    	echo -e "\t-d IP\t\tSearch for the specified destination IP address."
    	echo -e "\t-D port\t\tSearch for the specified destination port."
    	echo -e "\t-P protocol\tSearch for the specified IP protocol."
    	echo -e "\t-h\t\tPrint this usage information."
    	exit 1
    }
    
    if [ $# -eq 0 ]; then
    	printUsage
    fi
    
    if [ $EUID -ne 0 ]; then
    	echo "ERROR: This script must be run as root." >&2
    	echo ""
    	printUsage
    fi
    
    SOURCE_ADDR="[0-9a-f]+"
    SOURCE_PORT="[0-9a-f]+"
    DEST_ADDR="[0-9a-f]+"
    DEST_PORT="[0-9a-f]+"
    PROTOCOL="[0-9a-f]+"
    
    while getopts ":s:S:d:D:P:h" NUKE_OPTION; do
    	case $NUKE_OPTION in
    	s)
    		SOURCE_ADDR=`printf '%02x' ${OPTARG//./ }`
    		;;
    	S)
    		SOURCE_PORT=`printf '%08x' ${OPTARG//./ }`
    		;;
    	d)
    		DEST_ADDR=`printf '%02x' ${OPTARG//./ }`
    		;;
    	D)
    		DEST_PORT=`printf '%08x' ${OPTARG//./ }`
    		;;
    	P)
    		PROTOCOL=`printf '%08x' ${OPTARG//./ }`
    		;;
    	h)
    		printUsage
    		;;
    	\?)
    		echo "ERROR: Invalid option: -$OPTARG" >&2
    		echo ""
    		printUsage
    		;;
    	:)
    		echo "ERROR: Option -$OPTARG requires an argument." >&2
    		echo ""
    		printUsage
    		;;
    	esac
    done
    
    CONNECTIONS=`fw tab -t connections -u | egrep "<[0-9a-f]+, $SOURCE_ADDR, $SOURCE_PORT, $DEST_ADDR, $DEST_PORT, $PROTOCOL;" | sed -r 's#<([0-9a-f, ]+);.+#\1#' | sed -r 's# ##g'`
    echo "Matches:"
    echo "$CONNECTIONS"
    
    echo ""
    read -p "Clear these connections? (yes/[no]) " YN
    case $YN in
    	[Yy][Ee][Ss])
    		echo "$CONNECTIONS" | xargs -n 1 fw tab -t connections -x -e
    		exit 0
    		;;
    	*)
    		echo "Not deleting. Please specify "yes" if you want to delete the listed connections."
    		exit 2
    		;;
    esac
    Zimmie

  2. #2
    Join Date
    2017-04-26
    Posts
    19
    Rep Power
    0

    Default Re: Kill firewall connections

    Alternatively, use a temporary SAM rule to accomplish this!

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    324
    Rep Power
    14

    Default Re: Kill firewall connections

    That would ordinarily be an option, but for complicated and dumb reasons, I can't use SAM rules in this environment.
    Zimmie

Similar Threads

  1. Firewall Control Connections (i.e. SIC) in VPN Communities
    By Damoe666 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2015-06-09, 06:01
  2. Established connections in firewall acl
    By vladimir.akimov in forum Firewall Blade
    Replies: 2
    Last Post: 2013-09-30, 05:27
  3. Replies: 2
    Last Post: 2008-05-26, 06:53
  4. Killing SecuRemote Doesn't Kill Active Connections to Encryption Domain
    By Barry J. Stiefel in forum SecureClient/SecuRemote
    Replies: 0
    Last Post: 2005-08-13, 17:40
  5. Please explain what fw kill fwd does
    By Barry J. Stiefel in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-13, 13:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •