Re: FW1 and tcp ports 256, 257 and 258

[Joe Matusiewicz <joem@nist.gov>]

At 10:26 AM 8/9/99 -0400, Vic Metcalfe wrote:
> Hi,
>
> I recently installed Checkpoint Firewall-1 on an NT Server, and I
> found
> something odd when I was checking it with a series of port scans.
> Everything turned out as expected except for open tcp ports 256, 257
> and
> 258.  What makes this stranger is that these ports were only found
> open on a
> bogus address used for NAT from the Internet to a Domino server inside
> the
> LAN.  There were only three (non-implicit) rules, one for traffic to
> the
> Domino server, one for traffic from the Domino server, and one to reject
> all
> other packets, to make the port scan go more smoothly.
>
> If this is a FAQ then you have my apologies;  please just point me
> in the
> right direction.


Sounds like you accepted the Firewall-1 default of "Accept
Firewall-1 Control Connections".  When you do this, you open up
these ports.  From
www.phoneboy.com

TCP Port 256 is used for three important things: 
          Exchange of CA and
DH keys in FWZ and SKIP encryption between two FireWall-1 Management
Consoles. 
          A SecuRemote
Client uses this port to fetch the network topology
and              
encryption key from a FireWall-1 Management Console. 
          When instaling a
policy, the management console uses this port to push the policy to the
remote firewall. 
     TCP Port 257 is used by a remote firewall module
to send logs to a management console. 
     TCP Port 258 is used by the fwpolicy remote
GUI.

Some fw-1 admins reject the defaults and add explicit rules for
connections to these ports.

-- Joe