[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] FTP rejects
**************************************************************
WESTMINSTER CITY COUNCIL
Please refer to the disclaimer beneath this message
**************************************************************
Allen,
The following FAQ gives two potential solutions:
> >It seems that allowing a TCP-high-port service could cause a problem,
> >when using FTP. The current setup of FireWall-1 is not
> >to accept the high-port connections, if the user selects a port, which
> >could be defined as a service.
> >
> >Except for 1024, the disallowed ports are all TCP services. Opening
> >these ports to FTP data connections will expose them to
> >any connection arriving from the FTP server's IP address, which could
> >be definitely risky.
> >For example, evil JAVA applets can take advantage of this situation,
> >causing the FTP client sending a PORT command with
> >ports like TELNET, X, REXEC, etc. This will lead the FireWall to open
> >this port, which could be followed by hacking a
> >certain server on the machine.
> >
> >A definition called NOTSERVER_TCP_PORT located in lib/base.def file,
> >checks that only ports that match it, are allowed to
> >become FTP data ports later.
> >the full definition is as follows (located in the first part of the
> >file):
> >
> >#define NOTSERVER_TCP_PORT(p) ( p not in tcp_services and p > 1024 )
> >
> >It means that FireWall-1 considers all ports smaller than [1025 + all
> >TCP services defined through the GUI] as ports that
> >should be avoided. Although you can modify the NOTSERVER_TCP_PORT
> >definition,
> >you should definitely be aware of its
> >consequences.
> >
> >Another thing you can do, is to erase these services below from the
> >FireWall definitions (unless, of course, you use them):
> >
> > 1024
> > unknown
> > 1235
> > vosaic-ctlr
> > 1352
> > lotus
> > 1503
> > NetMeeting
> > 1521
> > sqlnet1
> > 1720
> > iphone
> > 2000
> > OpenWindows
> > 2626
> > AP-Defender
>Ben Goward
>Corporate Projects (WestNet)
>
>
>-----Original Message-----
>From: Miller Allen [SMTP:mall@loc.gov]
>Sent: Wednesday, 8 September, 1999 15:10
>To: fw-1-mailinglist@lists.us.checkpoint.com
>Subject: [FW1] FTP rejects
>
>
>What is the standard fix or workaround to prevent FTP rejects
>on the back connections when the high-order TCP port port chosen
>conflicts with a pre-defined FireWall-1 services?
>
>Is the "fix" just to remove the pre-defined FireWall-1 service?
>
>
>__________________________________________________________________________
>Miller S. Allen Phone: 202-707-5462 Library of Congress
>Computer Specialist Pager: 202-901-0526 101 Independence Ave, SE
>Email: MALL@LOC.GOV Fax: 202-707-9067 Washington DC 20540-9112
>
>
>
>
>=============================================================================
>===
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>=============================================================================
>===
**************************************************************
Westminster City Council switchboard:
+44 (0) 171 641 6000
**************************************************************
This E-Mail may contain information which is
privileged, confidential and protected from
disclosure. If you are not the intended recipient
of this E-mail or any part of it, please telephone
+44 (0) 171 641 5909 immediately on receipt.
You should not disclose the contents to any other
person or take copies.
**************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================