Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [FW1] reason: tried to open tcp service port

To: "'Brian Noecker'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: AW: [FW1] reason: tried to open tcp service port
From: Kindermann Timo <[email protected]>
Date: Mon, 29 Jan 2001 08:47:13 +0100
Sender: [email protected]

Whenever an ftp-connection tries to open a port that the firewall knows as
service, the connection is blocked with exactly the message you have in your
logs.
 
Checkpoint says there are several things you can do (and it works since I
had the sam Problems):
 
1. Delete the FireWall-1 service(s) that are causing the problem. This is
the
   easiest solution, but is not always feasible.
   (below you can find the list of pre-defined high-port TCP services).
 
   2. Delete the FireWall-1 service(s) that are causing the problem, and
recreate
   them as a service type of 'Other'. That way FireWall-1 will not see them
as known
   TCP services. Please see this link for information on how to do this: How
to
   manually define a TCP port range
 
   3. Perform a base.def modification to keep FireWall-1 from comparing
against
   these known services. Always back up any file before modifying it, and
make
   sure you use a UNIX based editor such as VI to edit this file. NT editors
place
   carriage return / line feeds at the end of the text. If you are using the
base.def on
   an NT machine, use edit.com from the command prompt rather than Notepad
or
   Wordpad.
 
   Make this modification on the Management server to your
$FWDIR/lib/base.def.
   then stop/start the FireWall, and re-install the rulebase. 
 
   <base.def> original :
   // ports which are dangerous to connect to
   define NOTSERVER_TCP_PORT(p) {
   (not
   (
   ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
   set sr12 p, set sr1 0, log bad_conn)
   or
   ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
   set sr1 0, log bad_conn)
   )
   )
   };
 
   is changed to:
   // ports which are dangerous to connect to
   define NOTSERVER_TCP_PORT(p) {
   (not
   ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
   set sr1 0, log bad_conn)
   )
   };
 
   you need to re-install the policy for the changes to take effect.
 
   list of pre-defined high-port TCP services:
 
   1235 vosaic-ctrl
   1352 lotus 
   1494 Winframe
   1503 T.120 (NetMeeting)
   1521 sqlnet
   1525-1526 sqlnet2
   1570-1571 Orbix
   1720 H323 (iphone)
   1723 pptp
   1755 NetShow
   2000 OpenWindows 
   2049 nfsd-tcp
   2299 PCtelecommute
   2626 AP-Defender, AT-Defender
   2649,2651 IIOP
   2998 RealSecure
   5190 AOL
   5510 SecurID-prop
   5631PCanywhere
   6000-6063 X11
   6499 IS411
   6660-6670 IRC
   7000 IRC2
   7070 RealAudio
   12468-12469 WebTheater
   16384 ConnectedOnline
   18181-18184 CVP, UFP, SAM, LEA
   18187 ELA
 
 
Timo

-----Ursprüngliche Nachricht-----
Von: Brian Noecker [mailto:[email protected]]
Gesendet am: Samstag, 27. Januar 2001 19:34
An: '[email protected]'
Betreff: [FW1] reason: tried to open tcp service port

I'm getting some weird FTP issues that maybe someone can help with.  We've
got an application that does an FTP upload to a remote server.  This process
usually works fine with the current FW rules but we've been seeing the
following lately on one application server in the log:
 
Reject    rule 0    ftp (destination port)     1344 (s_port)        Info:
reason: tried to open tcp service port, port:lotus
 
I've seen this with the port:lotus, port: vosaic-ctrl, port: nfsd-tcp.  
 
I checked the network services lotus, which is listed as port 1352
 
Out of multiple FTP sessions, this only happens a few times, but we have
been able to catch a connection closed, when doing a manual ftp, looking
around, and then doing a ls or other random command.  
 
Ideas?


Thanks ahead of time.
 
Brian
 
 

-----Original Message-----
From: Michael Liberte [mailto:[email protected]]
Sent: Friday, January 26, 2001 3:06 PM
To: 'Mark Squire'; '[email protected]'
Subject: RE: [FW1] Rainwall


Rainwall, even the latest version, isn't very good in load balancing VPNs.
It does load balancing for SR, however, it can do only load SHARING for
site-to-site VPNs.
It works well on NT and Solaris, Linux support still needs some
improvements.
Rainwall is OPSEC-compliant, it can send logs to ELA proxy, but has it's own
management tools.
 
Cheers,
Michael.

-----Original Message-----
From: Mark Squire [mailto:[email protected]]
Sent: Friday, January 26, 2001 10:51 PM
To: '[email protected]'
Subject: [FW1] Rainwall



Hi all, 
So now I am curious.  Have any of you set up your firewalls redundantly
using Rainwall?  Did you use VPN and SecuRemote?  If so I would like to ask
you some questions (I sound like a Jenny Jones commercial about security).

1. If you have used this product, what do you think about how well it
handles VPN load ballancing? 
2. What about load ballancing of the rest of the traffic? 
3. What platform do you use (ie NT, AIX)? 
4. How well, and how does it work with Checkpoint?  Does it work through the
policy editor some how? 

I would be very interested in any experiences any of you can share about
Rainwall. 

C:\Mark 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] SecuRemote and Entrust?
Next by Date: [FW1] I have some problem about CPfw1 and Lotus Domino return mail.
Previous by thread: Re: [FW1] How to blok Napster dan MSN
Next by thread: [FW1] I have some problem about CPfw1 and Lotus Domino return mail.
Index(es):
- Date
- Thread