Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Yanek Korff (yanekcigital.com)
Date: Wed Nov 14 2001 - 10:27:48 CST
> Checkpoint does crash when being portscanned. Well, sort of.
> Quite simply, when a (stateful) firewall, has too many
> entries in the state table (IE it's full) then the box has problems.
> In the case of checkpoint (or at least, this was the case a
> few versions ago) it will crash. (And incidentally, if you are
> synchronising the state table with another firewall for the purposes
> of failover, thenthey'll both crash).
> IIRC about 25000 connections will do this (less if you are using NAT)
> Checkpoint also holds the 'state entries' for 50 seconds after the
> connection is closed (IE FIN packets are seen), so you have a while to
> reach the magic number.
> My experience was with a Nokia IP440/Checkpoint
> Firewall-4.1SP3, but it sounds as if the same situation may
> be occuring.
Unfortunately, I don't think this is the case. If a table were being filled
up, I'd expect the FW to stay up for some period of time before eventually
crashing. Here are some relevant facts:
1. Linux FW crashes -immediately- before it has the opportunity to log a udp
packet with tcpdump
2. Scans complete successfully against NT 4.0 and Solaris-x86