Re: FW1 and tcp ports 256, 257 and 258

[Joe Matusiewicz <joem@nist.gov>]

    [ Part 1, Text/PLAIN  37 lines. ]
    [ Unable to print this part. ]

At 10:26 AM 8/9/99 -0400, Vic Metcalfe wrote:

      Hi,

      I recently installed Checkpoint Firewall-1 on an NT Server,
      and I found
      something odd when I was checking it with a series of port
      scans.
      Everything turned out as expected except for open tcp ports
      256, 257 and
      258.  What makes this stranger is that these ports were only
      found open on a
      bogus address used for NAT from the Internet to a Domino
      server inside the
      LAN.  There were only three (non-implicit) rules, one for
      traffic to the
      Domino server, one for traffic from the Domino server, and
      one to reject all
      other packets, to make the port scan go more smoothly.

      If this is a FAQ then you have my apologies;  please just
      point me in the
      right direction.



Sounds like you accepted the Firewall-1 default of "Accept Firewall-1
Control Connections".  When you do this, you open up these ports.  From
www.phoneboy.com

TCP Port 256 is used for three important things:
          Exchange of CA and DH keys in FWZ and SKIP encryption between
two FireWall-1 Management Consoles.
          A SecuRemote Client uses this port to fetch the network
topology and               encryption key from a FireWall-1 Management
Console.
          When instaling a policy, the management console uses this port
to push the policy to the remote firewall.
     TCP Port 257 is used by a remote firewall module to send logs to a
management console.
     TCP Port 258 is used by the fwpolicy remote GUI.

Some fw-1 admins reject the defaults and add explicit rules for
connections to these ports.

-- Joe