| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] ftp on sp6
Well, enough people asked for it I figured I would just go ahead and post
it.
My problem was that ftping one file worked fine but if you tried to FTP a
lot of files (like updating a web site) it would disconnect after a random
number of files were sent. I would see log entries for rule 0 that said
something like "'reason: tried to open TCP service port, port: sqlnet'". By
watching a snoop, I would see the source port climb one by one as each file
would be transmitted. The destination port would always be ftp-data but the
first file would use source port 1024, the second would use 1025, the third
1026, and so on. Well, you can do the math and see that 500 or so files in,
it would hit 1521, sqlnet and this new security "feature" (added in SP6)
would drop it. Seems they are watching for FTP to try a source port that is
already defined as another server. It is beyond me how this could be used
for an exploit.
Here is what Checkpoint told me to do and it fixed the problem.
Hope this helps
Jim Edwards
--------------------------------------------
Here is the solution for the error message that is occuring.
FireWall-1 4.0
Fact: INSPECT
Fact: FTP data connection
Symptom: FTP data connections are dropped by the FireWall
Symptom: Error received in the info field of the log viewer
Symptom: Error: 'reason: tried to open TCP service port, port: <service
name>'
Symptom: FTP Data connections reject on Rule 0
Cause: This error occurs when a FTP PORT command issued tries to open
a TCP port that is listed as a Service inside the Firewall-1 services.
It is a security implementation to keep anyone from injecting false
PORT commands and opening up any high ports through an FTP session.
For example, evil JAVA applets can take advantage of this situation,
causing the FTP client to send a PORT command with ports like TELNET,
X, REXEC, etc. This will lead the FireWall to open this port, which
could be followed by hacking a certain server on the machine.
Fix: There are several things you can do to alleviate this.
1. Delete the FireWall-1 service(s) that are causing the problem. This
is the easiest solution, but is not always feasible.
(below you can find the list of pre-defined high-port TCP services).
2. Delete the FireWall-1 service(s) that are causing the problem, and
recreate them as a service type of 'Other'. That way FireWall-1 will
not see them as known TCP services. Please see this link for information
on how to do this: <a href="primus://:36.918">How to manually
define a TCP port range</a>
3. Perform a base.def modification to keep FireWall-1 from comparing
against these known services. Always back up any file before modifying
it, and make sure you use a UNIX based editor such as VI to edit this
file. NT editors place carriage return / line feeds at the end of the
text. If you are using the base.def on an NT machine, use edit.com
from the command prompt rather than Notepad or Wordpad.
Make this modification on the Management server to your $FWDIR/lib/base.def.
then stop/start the FireWall, and re-install the rulebase.
<base.def> original :
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11
0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set
sr12 p,
set sr1 0, log bad_conn)
)
)
};
is changed to:
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12
p,
set sr1 0, log bad_conn)
)
};
you need to re-install the policy for the changes to take effect.
list of pre-defined high-port TCP services:
1235 vosaic-ctrl
1352 lotus
1494 Winframe
1503 T.120 (NetMeeting)
1521 sqlnet
1525-1526 sqlnet2
1570-1571 Orbix
1720 H323 (iphone)
1723 pptp
1755 NetShow
2000 OpenWindows
2049 nfsd-tcp
2299 PCtelecommute
2626 AP-Defender, AT-Defender
2649,2651 IIOP
2998 RealSecure
5190 AOL
5510 SecurID-prop
5631PCanywhere
6000-6063 X11
6499 IS411
6660-6670 IRC
7000 IRC2
7070 RealAudio
12468-12469 WebTheater
16384 ConnectedOnline
18181-18184 CVP, UFP, SAM, LEA
18187 ELA
-----Original Message-----
From: Mark van Gelder [mailto:[email protected]]
Sent: Monday, October 30, 2000 8:00 AM
To: [email protected]
Subject: RE: [FW1] ftp on sp6
Hi There
I have been having similar problems with 4.1 SP2. Please could you mail me
the fix to.
One think that i found that seemed to help a little was to move the FTP
rules further to the top of the rulebase.
Thanks
Mark
-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Murphy, Paul
Sent: Monday, October 30, 2000 1:30 PM
To: 'FW1-Mailing List'; '[email protected]'
Subject: RE: [FW1] ftp on sp6
Is it too much just to post?
I would prefer to retain the fix detail rather than your email address for
when I might need it.
Cheers,
Paul.
-----Original Message-----
From: James Edwards [mailto:[email protected]]
Sent: 27 October 2000 17:12
To: 'Pires, Michael'; 'FW1-Mailing List'
Subject: RE: [FW1] ftp on sp6
Yes, there is some new security stuff in SP6 that causes problems with ftp.
The problem we had was ftping a large number of files in one session. It
would randomly disconnect us before all the files were complete. FTPing a
large file was no problem, just doing a large group of files. I called
Checkpoint and they gave me the fix.
Email me directly and or call Checkpoint for the solution.
Jim Edwards
Systems Manager
Texas Secretary of State
-----Original Message-----
From: Pires, Michael [mailto:[email protected]]
Sent: Friday, October 27, 2000 9:55 AM
To: 'FW1-Mailing List'
Subject: [FW1] ftp on sp6
Anyone have ftp problems to ftp.compaq.com after SP6 was installed on a unix
4.0 firewall? Is there any resolution to this problem?
Thanks
p.s : sorry if it was answered already
_______________________________________
Michael Pires
Security Analyst
Teleglobe Inc.
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
----------------------------------------------------------------------------
-------------------------------------------
This e-mail is intended only for the above addressee. It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it. If you have
received it in error please delete it and immediately notify the sender.
evolvebank.com is a division of Lloyds TSB Bank plc.
Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in
England, number 2065. Telephone No: 020 7626 1500
Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone
No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
Personal Investment Authority and represent only the Scottish Widows
and Lloyds TSB Marketing Group for life assurance, pensions and
investment business.
Members of the UK Banking Ombudsman Scheme and signatories to the UK
Banking Code.
----------------------------------------------------------------------------
-------------------------------------------
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
