I recently received the following additional information regarding reserved words/characters when using Firewall-1 objects. ====================================================================== A List of Characters and Reserved Words Forbidden to Use in FireWall-1 Objects Definition. You should definitely avoid using the following characters and reserved words within FireWall-1 objects definition (i.e., Network Objects, Users, Groups etc.): Illegal characters: String contains ' ' (space) String contains '+' String contains '*' String contains '?' String contains '(' String contains ')' String contains '{' String contains '}' String contains '[' String contains ']' String contains '!' String contains '#' String contains '<' String contains '>' String contains '=' String contains ',' (comma) String contains ':' (colon) String contains ';' (semicolon) String contains ''' (quote) String contains '`' (back quote) String contains '"' (double quote) String contains '/' (slash) String contains '\' (back slash) String contains '\t' (tab) INSPECT reserved words: "accept" "expcall" "hosts" "modify" "pass" "set" "and" "expires" "if" "navy blue" "r_arg" "skippeer" "black" "firebrick" "ifaddr" "netof" "r_cdir" "src" "blue" "foreground" "ifid" "nets" "r_cflags" "static" "broadcasts" "forest green" "in" "nexpires" "r_ckey" "sync" "call" "format" "inbound" "not" "r_connarg" "targets" "date" "from" "interface" "or" "r_ctype" "to" "day" "fwline" "interfaces" "orange" "r_entry" "tod" "define" "fwrule" "ipsecmethods" "origdport" "r_proxy_action" "ufp" "delete" "gateways" "ipsecdata" "origdst" "r_tab_status" "vanish" "direction" "get" "kbuf" "origsport" "r_xlate" "wasskipped" "do" "gold" "keep" "origsrc" "record" "xlatedport" "domains" "gray 101" "limit" "other" "red" "xlatedst" "drop" "green" "log" "outbound" "refresh" "xlatesport" "dst" "hold" "magenta" "packet" "reject" "xlatesrc" "dynamic" "host" "medium slate blue" "packetid" "routers" "xor" Scoped reserved words: "gateways" "host" "netobj" "resourceobj" "routers" "servobj" "servers" "tracks" "targets" "ufp" Colors reserved words: "black" "blue" "cyan" "dark green" "dark orchid" "firebrick" "foreground" "forest green" "gold" "gray 101" "green" "magenta" "medium slate blue" "navy blue" "orange" "red" "sienna" "yellow" -Paul Watson +-------------------------+---------------------------------+ | Paul Watson | Senior Network Security Engineer| | | IRIDIUM LLC | | paul_watsonat_private | "One World, One Phone!" | +-------------------------+---------------------------------+ Aleph One wrote: > > This vulnerability in Firewall-1 has been made public by CheckPoint > but hasn't been well publicized. > > Most of this information is taken verbatim from the CheckPoint web page > on this issue. You can find this page at > http://www.checkpoint.com/techsupport/config/keywords.html > > Summary: > > If you use one of several reserved keywords to represent any user defined > object in a rule the default definition of "ANY" will be used instead. > This behavior may grant (or deny) access to a greater number of addresses > or services than expected. > > Description: > > The following keywords should not be used to represent any user defined > object in a FireWall-1 installation: > > Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof, > spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin, > netobjwin, viewwin, users, resources, time, true, false, last, > first, status_alert, fwalert > > If any of these keywords are used to represent either a network or a > service object and are subsequently used in a security policy, FireWall-1 > will interpret the object definition as "undefined". If no other object is > used either in the source/destination or service field of the rule, then > the default address definition of "ANY" is used for that particular field. > > Note that in practice only objects in the "tracking" menu of type "alert" > seem to behave this way. Objects such as "Long", of type "log", do not > show this behavior. > > Example: > > If you have a rule that allows SMTP access to a machine called "Mail" on > your DMZ you are actually giving SMTP access to any machines behind the > firewall. > > Recommendations > > If any of these keywords are defined as network objects or service objects > and used in a rule base, then the object should be renamed and the > security policy reloaded. > > Additional Notes > > Mechanisms are being built into future releases of FireWall-1 to prevent > using these keywords as user defined objects. > > Aleph One / aleph1at_private > http://underground.org/ > KeyID 1024/948FD6B5 > Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:22 PDT