COM/DCOM Problems w/ng R55

[rmmagow]

Hi All,
I have a Nokia based internal firewall. It is placed between my web and application servers. Recently the device was upgraded to R55. I don't have direct knowledge of the firewall or NG for that matter, a consulting company generally takes care of the machines. Anyway, this particular FW has one rule, any any any accept (loose firewall !!) BUT it is rejecting some tcp-135 traffic from the web server to the app server. I googled and found some information pointing to a a defender piece of code in the firewall that is on regardless of the rules base. There is mention made of selecting some option to turn off this particular check to let the DCOM traffic run. This particular dropping of traffic is I think a protection against "blaster" type attacks.
Has anyone run into this and successfully set the box so the traffic can pass? If so, can you provide sort of a detailed description of where I should be looking on the dashboard for these "tabs" etc.
Any advise is greatly appreciated.

 

[ChrisAC]

I googled and found some information pointing to a a defender piece of code in the firewall "

Could you be talking about "Smart Defence". This is located on a tab in Smart Dashboad.

Security -- Address Translation -- Smart Defense

Without seeing the output from the logging it's difficult to say what the cause of the drop is. The log will tell you that. You could try putting in a specific rule to allow this port between the two networks.

Also, if you only have one rule, permit IP any any, why go to all the trouble of putting a firewall in? I'm sure that a router would be much cheaper if you don't intend to actually implement any security.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[ifconf]

I had the same problem running on Secure Platform, to solve it I had do the following;

PROCEDURE:
1) On the SmartCenter Server stop the firewall services by typing at prompt: cpstop
2) Perform a backup of the $FWDIR/lib/dcerpc.def file.
3) Edit the dcerpc.def file.

Original
/*ALLOW_135 is used to open port
*135 for uuids other then
*dcerpc portmapper.
*/
#ifndef ALLOW_135
#define ALLOW_135 0
#endif

Modified
/*ALLOW_135 is used to open port
*135 for uuids other then
*dcerpc portmapper.
*/
#ifndef ALLOW_135
#define ALLOW_135 1
#endif

4) Save changes and close the dcerpc.def file.
5) Start the firewall services by typing at prompt: cpstart
6) Log into SmartDashboard and install the policy

Just be careful when you edit this file, I don't know how it will look in the Nokia but on Secure Platform the "0" is tabbed all the way over to the right and you can miss it (like I did then you can't install the policy) So make sure you tab all the way over to the 0 and change it to 1 in the place that it is, I think it's a table.

 

[Akiwondo]

Is it flagged as Rule 995? Rule 995 was dropping some of our AD replication.

Rule number 995 means that you had a bind/alter-context request with more
than one UUID in it.
It isn't allowed by default as it been used on some attacks
but there is an inspect flag that allows it (and keep the security).

In $FWDIR/lib/dcerpc.def there is a flag

#define NO_ENFORCE_CNTX_NUM 0

That should be changed to

#define NO_ENFORCE_CNTX_NUM 1




Akiwondo (MCSE, CCSE)

 

[rmmagow]

Hi All,
Thanks for the replies. I ended up doing what servebase mentioned and it is working. The firewall is loose because I am monitoring what is flowing between the web and application servers. This is a brand new CP install.