[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] ftp on sp6
Well, enough people asked for it I figured I would just go ahead and post it. My problem was that ftping one file worked fine but if you tried to FTP a lot of files (like updating a web site) it would disconnect after a random number of files were sent. I would see log entries for rule 0 that said something like "'reason: tried to open TCP service port, port: sqlnet'". By watching a snoop, I would see the source port climb one by one as each file would be transmitted. The destination port would always be ftp-data but the first file would use source port 1024, the second would use 1025, the third 1026, and so on. Well, you can do the math and see that 500 or so files in, it would hit 1521, sqlnet and this new security "feature" (added in SP6) would drop it. Seems they are watching for FTP to try a source port that is already defined as another server. It is beyond me how this could be used for an exploit. Here is what Checkpoint told me to do and it fixed the problem. Hope this helps Jim Edwards -------------------------------------------- Here is the solution for the error message that is occuring. FireWall-1 4.0 Fact: INSPECT Fact: FTP data connection Symptom: FTP data connections are dropped by the FireWall Symptom: Error received in the info field of the log viewer Symptom: Error: 'reason: tried to open TCP service port, port: <service name>' Symptom: FTP Data connections reject on Rule 0 Cause: This error occurs when a FTP PORT command issued tries to open a TCP port that is listed as a Service inside the Firewall-1 services. It is a security implementation to keep anyone from injecting false PORT commands and opening up any high ports through an FTP session. For example, evil JAVA applets can take advantage of this situation, causing the FTP client to send a PORT command with ports like TELNET, X, REXEC, etc. This will lead the FireWall to open this port, which could be followed by hacking a certain server on the machine. Fix: There are several things you can do to alleviate this. 1. Delete the FireWall-1 service(s) that are causing the problem. This is the easiest solution, but is not always feasible. (below you can find the list of pre-defined high-port TCP services). 2. Delete the FireWall-1 service(s) that are causing the problem, and recreate them as a service type of 'Other'. That way FireWall-1 will not see them as known TCP services. Please see this link for information on how to do this: <a href="primus://:36.918">How to manually define a TCP port range</a> 3. Perform a base.def modification to keep FireWall-1 from comparing against these known services. Always back up any file before modifying it, and make sure you use a UNIX based editor such as VI to edit this file. NT editors place carriage return / line feeds at the end of the text. If you are using the base.def on an NT machine, use edit.com from the command prompt rather than Notepad or Wordpad. Make this modification on the Management server to your $FWDIR/lib/base.def. then stop/start the FireWall, and re-install the rulebase. <base.def> original : // ports which are dangerous to connect to define NOTSERVER_TCP_PORT(p) { (not ( ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0, set sr12 p, set sr1 0, log bad_conn) or ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p, set sr1 0, log bad_conn) ) ) }; is changed to: // ports which are dangerous to connect to define NOTSERVER_TCP_PORT(p) { (not ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p, set sr1 0, log bad_conn) ) }; you need to re-install the policy for the changes to take effect. list of pre-defined high-port TCP services: 1235 vosaic-ctrl 1352 lotus 1494 Winframe 1503 T.120 (NetMeeting) 1521 sqlnet 1525-1526 sqlnet2 1570-1571 Orbix 1720 H323 (iphone) 1723 pptp 1755 NetShow 2000 OpenWindows 2049 nfsd-tcp 2299 PCtelecommute 2626 AP-Defender, AT-Defender 2649,2651 IIOP 2998 RealSecure 5190 AOL 5510 SecurID-prop 5631PCanywhere 6000-6063 X11 6499 IS411 6660-6670 IRC 7000 IRC2 7070 RealAudio 12468-12469 WebTheater 16384 ConnectedOnline 18181-18184 CVP, UFP, SAM, LEA 18187 ELA -----Original Message----- From: Mark van Gelder [mailto:[email protected]] Sent: Monday, October 30, 2000 8:00 AM To: [email protected] Subject: RE: [FW1] ftp on sp6 Hi There I have been having similar problems with 4.1 SP2. Please could you mail me the fix to. One think that i found that seemed to help a little was to move the FTP rules further to the top of the rulebase. Thanks Mark -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Murphy, Paul Sent: Monday, October 30, 2000 1:30 PM To: 'FW1-Mailing List'; '[email protected]' Subject: RE: [FW1] ftp on sp6 Is it too much just to post? I would prefer to retain the fix detail rather than your email address for when I might need it. Cheers, Paul. -----Original Message----- From: James Edwards [mailto:[email protected]] Sent: 27 October 2000 17:12 To: 'Pires, Michael'; 'FW1-Mailing List' Subject: RE: [FW1] ftp on sp6 Yes, there is some new security stuff in SP6 that causes problems with ftp. The problem we had was ftping a large number of files in one session. It would randomly disconnect us before all the files were complete. FTPing a large file was no problem, just doing a large group of files. I called Checkpoint and they gave me the fix. Email me directly and or call Checkpoint for the solution. Jim Edwards Systems Manager Texas Secretary of State -----Original Message----- From: Pires, Michael [mailto:[email protected]] Sent: Friday, October 27, 2000 9:55 AM To: 'FW1-Mailing List' Subject: [FW1] ftp on sp6 Anyone have ftp problems to ftp.compaq.com after SP6 was installed on a unix 4.0 firewall? Is there any resolution to this problem? Thanks p.s : sorry if it was answered already _______________________________________ Michael Pires Security Analyst Teleglobe Inc. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ---------------------------------------------------------------------------- ------------------------------------------- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ---------------------------------------------------------------------------- ------------------------------------------- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|