[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FTP: tried to open TCP service port

To: "'fw-1-mailinglist@lists.us.checkpoint.com.'" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: [FW1] FTP: tried to open TCP service port
From: John Scott <John.Scott@OCTANNER.COM>
Date: Thu, 14 Oct 1999 08:54:59 -0600

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


I have clients on our internal network who need to FTP files to a server in
the DMZ.  They run in PASV mode.  The data transfers are killed when the
client requests a port that the firewall sees as a TCP service (client
request is passed but server response is dropped).  I do have TCP services
that I have defined but these are not the only ports which are causing
problems.
	According to Phoneboy..

One workaround would be to define the service as type Other with the
following in the Match field: 

tcp, th_dport >= x, th_dport <= y 

where x and y are the endpoints to your port range. 

Another workaround is to disable the check for services by
$FWDIR/lib/base.def. In FireWall-1 4.0, you will also need to make this
change
in $FWDIR/lib30/base.def. Change the macro definition for NOTSERVER_TCP_PORT
to: 

#define NOTSERVER_TCP_PORT(p) ( p > 1024 ) 

Since this could possibly expose your machines to specific services, this is
not recommended. 

	I have no issue with changing the definition of the services I have
defined.  What is the best way of dealing with the services that are already
defined (ie lotus, AT-Defender, openWindows, vosaic-ctrl, SQLnet-1,
realsecure).
The clients are running WS_FTP and the port range they request is 1024-5000.
	Is this the best way to deal with the FTP service port issue or is
it actually better to modify base.def.  I would rather deal with this by
modifying the individual services rather than not have the firewall protect
ports it has associated with services.

Any input would be greatly appreciated..

John Scott
john.scott@octanner.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Nokia HA
Next by Date: [FW1] FTP: tried to open TCP service port
Prev by thread: [FW1] FTP: tried to open TCP service port
Next by thread: [FW1] FTP: tried to open TCP service port
Index(es):
- Date
- Thread