I have always looked for a good documentation about fw monitor and I have find 2 usable doc. One is the official pdf and one in a post from a Checkpoint Expert (you can find them on my posts somewhere..)
Actually there is no need to look for a documentation on google as it is in you SPLAT Firewall, you have to just understand how can you use it!
There are 3 files that we can use to build our own complex filter for fw monitor. The files are the best references for fw monitor!
/etc/protocols - here are the IDs for the protocolls. /opt/CPsuite-R75/fw1/lib/fwmonitor.def - Header file definition for fw monitor filters /opt/CPsuite-R75/fw1/lib/tcpip.def - TCP/IP Protocols fields definition |
Example 1.: Monitor only session initialization
Take a look at the end of tcpip.def and you should find some definition for the “fisrt packet” in a session. it is called easily just “first”:
// tcp states
define syn { th_flags & TH_SYN };
define fin { th_flags & TH_FIN };
define rst { th_flags & TH_RST };
define ack { th_flags & TH_ACK };
define first { (th_flags & (TH_SYN|TH_ACK))=TH_SYN };
define established { (th_flags & TH_ACK) or ((th_flags & TH_SYN) = 0) };
define not_first { not ( th_flags & TH_SYN ) };
define last { th_flags & TH_FIN, th_flags & TH_ACK };
define tcpdone { fin or rst };
|
As you see, there are a lot of predefined states for tcp :-) Lets try it with fw monitor if they really work. Just use the word “first” as a filter:
# fw monitor -e "accept first;" monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. monitor: loading monitor: monitoring (control-C to stop) eth1:i[48]: 10.1.1.201 -> 192.168.1.100 (TCP) len=48 id=56570 TCP: 2479 -> 80 .S.... seq=24ffd56a ack=00000000 eth1:I[48]: 10.1.1.201 -> 192.168.1.100 (TCP) len=48 id=56570 TCP: 2479 -> 80 .S.... seq=24ffd56a ack=00000000 eth2:o[48]: 10.1.1.201 -> 192.168.1.100 (TCP) len=48 id=56570 TCP: 2479 -> 80 .S.... seq=24ffd56a ack=00000000 eth2:O[48]: 10.1.1.201 -> 192.168.1.100 (TCP) len=48 id=56570 TCP: 2479 -> 80 .S.... seq=24ffd56a ack=00000000 |
It is pretty cool, isn’t it?
Example 2.: Monitor only ICMP
[Expert@mygwy]# fw monitor -e "accept icmp;" monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. |
Okay, but where is the “icmp” declared? Lets see the following 2 files:
# less /opt/CPsuite-R75/fw1/lib/fwmonitor.def ... -- Here is the icmp definded. ip_p is for IP Protocol and the value is in PROTO_icmp. #define icmp (ip_p=PROTO_icmp) ... -- The another variable PROTO_icmp is defined in tcpip.def, in fwmonitor.def it is just referred to this file. #include "tcpip.def" -- The fwmonitor.def has a reference to tcpip.def. Lets check this file: # less /opt/CPsuite-R75/fw1/lib/tcpip.def ... #define PROTO_icmp 1 ... Here we have a PROTO_icmp declared with the vaule "1". |
As we know the IP Protocol number 1 belongs to ICMP. If you dont just check the list from IANA:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml
Would you like to play with fw monitor and check more predefined filters? If I can suggest a music for that, just go to the link.
Pearl Jam – La Plata Argentina 2011
itsecworks 
Petslack
June 17, 2013
Love the trick and love the music dude!!!