Technical Blog about IT Security and Networking

September 10, 2008

Telnet from inside Checkpoint firewall

Filed under: Checkpoint NG/NGX, Firewall — yurisk @ 8:00 am
Tags: , ,

Yesterday I saw a strange problem – connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn’t sure 100% it wasn’t a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 to Exchange by its LAN IP … only that Checkpoint don’t have telnet client included in their Splat . If I had enough time I’d compile telnet client statically on some Linux box with the same kernel/libraries then’d copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough fo ra test) telnet, below these scripts .

BTW this script made it 100% clear there was some problem with Exchange over which I had no control – from firewall its port 25 answered very erratically – once ok , 10 times connection refused. So after a double check

client found that from LAN and VPN it also wasn’t stable as he first thought .

 

General telnet client script :

[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk

Where:

  ip - IP to connect to

  port – port to connect to

#!/usr/bin/awk
#This is a simple telnet emulation script purpose of which
# is to try to connect to a given IP on a given port using TCP
# and print to the terminal few lines received from the server
# if session is established. It has no functionality but to
# establish a TCP connection and print out received text from the
# server, after that it just exits.It was created to debug
# connectivity issues on Checkpoint NGX firewall that has no built
# in telnet client .
# Client
     BEGIN {
       (“/inet/tcp/0/” ip “/” port ) |& getline
       print $0
       close((“/inet/tcp/0/” ip “/” port ))
     }

Next is the same cript with add on for port 80 – to get some response from web server:

#!/usr/bin/awk
     BEGIN {
   Portandip = (“/inet/tcp/0/” ip “/” port )
   print “GET /  HTTP/1.1\n\n” |& Portandip
   while  ( ((“/inet/tcp/0/” ip “/” port ) |& getline)>0)
       print $0
       close((“/inet/tcp/0/” ip “/” port ))
     }

 

PS Thanks to Aibulat (see comments) for info, turns out there is a telnet client available on Splat cd-rom .It is just not installed by default when installing Splat.

5 Comments »

  1. Thanks this is very helpful.

    Great site….hope you have more updates.

    T.S

    Comment by Tom S. — December 1, 2008 @ 3:15 am | Reply

  2. There is telnet client in cd

    #expert
    #mount /mnt/cdrom
    #cd /mnt/cdrom/SecurePlatform/RPMS
    #rpm -i telnet-0.17*

    Comment by Aibulat — February 10, 2009 @ 9:28 am | Reply

    • Thanks for the info, indeed there is a telnet client/server that doesnt get installed by default.

      Comment by yurisk — February 10, 2009 @ 7:17 pm | Reply

  3. Nice Blog,

    saw Checkpoint has what they call “Add-On Utils”
    but only for Kernel 2.4

    has Telnet, Minicom and vixie-cron

    release notes : http://downloads.checkpoint.com/dc/download.htm?ID=3168

    -Somynona

    Comment by Somynona — July 18, 2009 @ 6:29 pm | Reply

    • Thanks
      Probably R55 didnt have telnet at all so this add-on. NGX have telnet/telnetd on Splat disk already available.

      Comment by yurisk — July 18, 2009 @ 6:53 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.