FireWall-1 FAQ: How Can I Disable All Implied Rules (Rulebase Properties)?
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
(Note this applies only to FireWall-1 4,1 and earlier–in NG you can see what all the Implied Rules are and create your own manual rules to allow this traffic.)
Despite the fact that Check Point has made the defaults more sensible in 4.1, it is a good idea to disable those properties which you do not need. Let us look at each property that can be disabled:
- Accept FireWall-1 Control Connections
- This means allow various FireWall-1 Modules to communicate via FireWall-1 communication ports. Prior to 4.1, it allowed any host to access FireWall-1 on TCP ports 256, 257, and 258. In 4.1, it only allows these connections from the appropriate hosts as defined in $FWDIR/conf/masters and $FWDIR/conf/gui-clients as appropriate. This also allows your firewall to be accessable on TCP port 256 and/or TCP port 264 from anywhere.
- If you wish to uncheck your property, you will need the following rules (as appropriate for your situation):
- Check Point puts a "virtual state" on top of UDP to permit UDP connections through the firewall. By disabling this property, you are effectively disabling the "virtual state." In this case, you will need to create the necessary UDP services that permit the "reply" packets in.
- This property refers to packets leaving the gateway, whether they originate from the firewall or they are routed by the firewall. This property is required when "Apply Gateway Rules to Interface Direction" is "Inbound" else packets will never leave the gateway. This property can be disabled by setting "Apply Gateway Rules to Interface Direction" to Eitherbound (outbound is not recommended).
- This will cause FireWall-1 to decrypt packets that it receives encrypted even if there is no explicit rule listing encryption. Note that there still must be a valid rule in the rulebase if the packet is to be accepted through the rulebase. This can be disabled with no ill effect.
- If you are running RIP on your firewall and you require the ability to communicate with other routers via RIP, this property must be checked. Most people who run dynamic routing protocols run OSPF, so this property can generally be safely disabled. If you do need to run RIP but do not wish to use this property, the following rules must be in your rulebase:
- This permits all UDP port 53 traffic from anywhere to anywhere. This is actually a very dangerous setting and should be disabled since non-DNS traffic (such as BackOrifice) could easy use UDP pot 53. Instead, rules of the following form should be added:
- This is only necessary if your primary and secondary DNS servers are seperated by your firewalls. Again, a dangerous default that should be disabled. In this case, you will add a rule like the following to permit traffic:
- You can generally disable this property, though you will need to leave it enabled to take advantage of Check Point's Stateful Inspection for ICMP in 4.0.
Source | Destination | Service | Action | Track | Install-On | Comment |
all-cp-modules | all-cp-modules | FW1
FW1_log |
Accept | all-firewalls | Permits FireWall-1 traffic between all management and firewall modules (should be installed eitherbound). | |
gui-clients | management-console | FW1_Mgmt | Accept | gateways | Permits those with GUI access to access the management console to modify the security policy | |
Any | management-console | FW1 | Accept | gateways | Necessary when setting up a VPN or allowing SecuRemote 4.0 Clients to fetch their encryption domain. | |
Any | management-console | FW1_topo | Accept | gateways | Necessary for Secure Client 4.1 and later clients wish to fetch their encryption domain from a FireWall-1 4.1 management console. | |
Any | firewall-modules | FW1_rdp | Accept | gateways | While RDP may be a pre-defined service (it's called RDP), you will
need to create a new definition for it as a service of type other if you
disable FireWall-1 control connections. This is necessary to permit FWZ
encryption to work. For the fields in this new service, input the following:
Match: udp, dport=259 Prologue: accept_fw1_rdp; |
Accept UDP Replies
Accept Outgoing Packets
Enable Decryption on Accept
Accept RIP
Source | Destination | Service | Action | Track | Install-On | Comment |
firewall-modules | rip-routers
rip-broadcast |
rip
rip-response |
Accept | all-firewalls | Permits RIP traffic between all firewall modules, routers, and appropriate broadcast addresses (should be installed eitherbound). | |
rip-routers | firewall-modules
rip-broadcast |
rip
rip-response |
Accept | gateways | Permits RIP traffic from all routers to broadcasts and firewalls. |
Accept Domain Name Queries (UDP)
Source | Destination | Service | Action | Track | Install-On | Comment |
dns-clients | dns-servers | domain-udp | Accept | gateways | Permits DNS traffic between the appropriate clients and servers. |
Accept Domain Name Downloads (TCP)
Source | Destination | Service | Action | Track | Install-On | Comment |
dns-servers | dns-servers | dns | Accept | gateways | Permits DNS traffic between the primary and secondary DNS servers |
Accept ICMP