Telnet from inside Checkpoint firewall

Yesterday I saw a strange problem – connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn’t sure 100% it wasn’t a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 to Exchange by its LAN IP … only that Checkpoint don’t have telnet client included in their Splat . If I had enough time I’d compile telnet client statically on some Linux box with the same kernel/libraries then’d copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough fo ra test) telnet, below these scripts .

BTW this script made it 100% clear there was some problem with Exchange over which I had no control – from firewall its port 25 answered very erratically – once ok , 10 times connection refused. So after a double check

client found that from LAN and VPN it also wasn’t stable as he first thought .

General telnet client script :

[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk

Where:

ip - IP to connect to

port – port to connect to

#!/usr/bin/awk
#This is a simple telnet emulation script purpose of which
# is to try to connect to a given IP on a given port using TCP
# and print to the terminal few lines received from the server
# if session is established. It has no functionality but to
# establish a TCP connection and print out received text from the
# server, after that it just exits.It was created to debug
# connectivity issues on Checkpoint NGX firewall that has no built
# in telnet client .
# Client
BEGIN {
(”/inet/tcp/0/” ip “/” port ) |& getline
print $0
close((”/inet/tcp/0/” ip “/” port ))
}

Next is the same cript with add on for port 80 – to get some response from web server:

#!/usr/bin/awk
BEGIN {
Portandip = (”/inet/tcp/0/” ip “/” port )
print “GET / HTTP/1.1\n\n” |& Portandip
while ( ((”/inet/tcp/0/” ip “/” port ) |& getline)>0)
print $0
close((”/inet/tcp/0/” ip “/” port ))
}

Comments

0 Responses to "Telnet from inside Checkpoint firewall"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews