1. Home
  2. Networking Firewalls
  3. disabling checkpoint statefull inspection

disabling checkpoint statefull inspection

Anyone know off hand if its possible to disable checkpoint statefull inspection for a particular requests only? i'm running into an issue where NFS packets are getting dropped because of checkpoints state table already has an established connection and the nfs protocol is sending a SYN to create a new connection.

from RFC-1813 nfsv3 The typical NFS version 3 protocol failure recovery model uses client time-out and retry to handle server crashes, network partitions, and lost server replies. A retried request is called a duplicate of the original.

Reply to
rodrick.brown
Loading thread data ...

Why do you want to use a firewall, if you let NFS through?

Yours, VB.

Reply to
Volker Birk

that's maybe not the answer to the question. i also run a checkpoint-cluster. this controlls traffic to/from internet. but also traffic on an other interface to our subsidiaries, which are reachable through a vpn managed by an isp.

so, why not allowing nfs through a fw in a private wan.

best regards hans

Reply to
hans m42

Because NFS is an invitation to everybody who wants to compromize your policies. If you let something inherent insecure through your filtering system like NFS, you can drop filtering, too, and you'll have just the same effect.

Yours, VB.

Reply to
Volker Birk

Am Thu, 03 Nov 2005 05:36:10 +0100 schrieb Volker Birk:

Come on, Volker, there are setups in which this is required.

What about different internal subnets with the NFS server located in one *internal* subnet and the clients in another with the checkpoint box between them?

Wolfgang

Reply to
Wolfgang Kueter

I cannot see that, really.

If you mean "security zone" with "subnet", then the security concept is b0rken. NFS is so unsecure, that it may not be allowed between zones.

Wolfgang, do you remember, that NFS is without any cryptography, and how authorization is done with NFS?

Yours, VB.

Reply to
Volker Birk

no, not everybody. this can be one point of view.

we filter between our subsidiaries. and we do this not, as we think we must protect our users from themselfe. we filter those ports, which are critical for virus and maleware attacks. lets say, we allow some uncritical ports and drop all others.

so we hope, a virus cannot propagate all over the corporate network immediatly. didn't see any microsoft-virus based on nfs. did you ?

best regards hans

Reply to
hans m42

Oh yes, of course. NFS is for sharing files, and file infecting viruses are very common in the Windows world.

Yours, VB.

Reply to
Volker Birk

While I agree that such a concept might be called broken such setups simply do exist in real life.

I agree but locations where circumstances that require such setups exist. The world is far from beeing ideal.

I'm well of aware of the risks of NFS.

Of course it is better to resign a network but there are cases where a redesign is hardly possible.

Wolfgang

Reply to
Wolfgang Kueter

Wolfgang Kueter wrote: [NFS through zones]

Yes. "Two things are infinite." And with the universe, he was unsure.

I disagree.

Yes.

Yours, VB.

Reply to
Volker Birk

Am Fri, 04 Nov 2005 12:16:55 +0100 schrieb Volker Birk:

^^^

You need only 5 lines to contradict yourself, respect.

;-)

Wolfgang

Reply to
Wolfgang Kueter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.