The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: How Can I Disable All Implied Rules (Rulebase Properties)?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

(Note this applies only to FireWall-1 4,1 and earlier–in NG you can see what all the Implied Rules are and create your own manual rules to allow this traffic.)

Despite the fact that Check Point has made the defaults more sensible in 4.1, it is a good idea to disable those properties which you do not need.  Let us look at each property that can be disabled:

Accept FireWall-1 Control Connections
This means allow various FireWall-1 Modules to communicate via FireWall-1 communication ports. Prior to 4.1, it allowed any host to access FireWall-1 on TCP ports 256, 257, and 258. In 4.1, it only allows these connections from the appropriate hosts as defined in $FWDIR/conf/masters and $FWDIR/conf/gui-clients as appropriate. This also allows your firewall to be accessable on TCP port 256 and/or TCP port 264 from anywhere.
If you wish to uncheck your property, you will need the following rules (as appropriate for your situation):
Source Destination Service Action Track Install-On Comment
all-cp-modules all-cp-modules FW1
Accept all-firewalls Permits FireWall-1 traffic between all management and firewall modules (should be installed eitherbound).
gui-clients management-console FW1_Mgmt Accept gateways Permits those with GUI access to access the management console to modify the security policy
Any management-console FW1 Accept gateways Necessary when setting up a VPN or allowing SecuRemote 4.0 Clients to fetch their encryption domain. 
Any management-console FW1_topo Accept gateways Necessary for Secure Client 4.1 and later clients wish to fetch their encryption domain from a FireWall-1 4.1 management console.
Any firewall-modules FW1_rdp Accept gateways While RDP may be a pre-defined service (it's called RDP), you will need to create a new definition for it as a service of type other if you disable FireWall-1 control connections. This is necessary to permit FWZ encryption to work. For the fields in this new service, input the following:
Match: udp, dport=259
Prologue: accept_fw1_rdp;

Accept UDP Replies

Check Point puts a "virtual state" on top of UDP to permit UDP connections through the firewall. By disabling this property, you are effectively disabling the "virtual state." In this case, you will need to create the necessary UDP services that permit the "reply" packets in.

Accept Outgoing Packets
This property refers to packets leaving the gateway, whether they originate from the firewall or they are routed by the firewall. This property is required when "Apply Gateway Rules to Interface Direction" is "Inbound" else packets will never leave the gateway. This property can be disabled by setting "Apply Gateway Rules to Interface Direction" to Eitherbound (outbound is not recommended).

Enable Decryption on Accept
This will cause FireWall-1 to decrypt packets that it receives encrypted even if there is no explicit rule listing encryption. Note that there still must be a valid rule in the rulebase if the packet is to be accepted through the rulebase. This can be disabled with no ill effect.

Accept RIP
If you are running RIP on your firewall and you require the ability to communicate with other routers via RIP, this property must be checked. Most people who run dynamic routing protocols run OSPF, so this property can generally be safely disabled. If you do need to run RIP but do not wish to use this property, the following rules must be in your rulebase:
Source Destination Service Action Track Install-On Comment
firewall-modules rip-routers
Accept all-firewalls Permits RIP traffic between all firewall modules, routers, and appropriate broadcast addresses (should be installed eitherbound).
rip-routers firewall-modules
Accept gateways Permits RIP traffic from all routers to broadcasts and firewalls.

Accept Domain Name Queries (UDP)

This permits all UDP port 53 traffic from anywhere to anywhere. This is actually a very dangerous setting and should be disabled since non-DNS traffic (such as BackOrifice) could easy use UDP pot 53. Instead, rules of the following form should be added:
Source Destination Service Action Track Install-On Comment
dns-clients dns-servers domain-udp Accept gateways Permits DNS traffic between the appropriate clients and servers.

Accept Domain Name Downloads (TCP)

This is only necessary if your primary and secondary DNS servers are seperated by your firewalls. Again, a dangerous default that should be disabled. In this case, you will add a rule like the following to permit traffic:
Source Destination Service Action Track Install-On Comment
dns-servers dns-servers dns Accept gateways Permits DNS traffic between the primary and secondary DNS servers

Accept ICMP

You can generally disable this property, though you will need to leave it enabled to take advantage of Check Point's Stateful Inspection for ICMP in 4.0.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.