Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Scanning HTTP traffic to non-standard ports

To: "'FW-1 Mailing List'" <[email protected]>
Subject: RE: [FW1] Scanning HTTP traffic to non-standard ports
From: Paul Daley <[email protected]>
Date: Wed, 22 Nov 2000 11:47:54 -0000
Sender: [email protected]

The following (as an attachment) was posted from Aladdin tech support to
this thread on Tuesday 21st November 08:27...

---------------------------------------

(1) Create a TCP service using the desired URI protocol port. 
(2) Create the resource object that references your CVP server. 
(3) In your URI resources you need to modify the "Host" field in the "Match"
tab. The default definition is an asterisk ( * ). Change this to asterisk -
colon - asterisk ( *:* ). 
(4) Use "Add With Resouce..." to add a rule, which uses your new TCP service
and CVP resource definitions. 
(5) Edit the $FWDIR/conf/fwauthd.conf file. This file is the configuration
file for the FW-1 security servers. By default, it lists all standard ports
monitored by FW-1. This is necessary to allow security servers to initiate
sessions. You must add an extra line for the service created in step 1. If
the new port used for HTTP sessions is 8080, then the file should be similar
to the following exaple: 

    21    in.aftpd     wait 0 
    80    in.ahttpd    wait 0 
    8080  in.ahttpd    wait 0 
    513   in.arlogind  wait 0 
    25    in.asmtpd    wait 0 

Note: The 3rd line was added. 
This step forces the security server to run on this port, which is not
standard. Without this line, the FW-1 security server will reject the
communication.

---------------------------------------

The only down side to the above is that you have to run an additional
security server process (in.ahttpd) for every new port you wish to allow
access to (each process being about 10MB in size)... But otherwise I found
it to work (though you do need to stop/start the firewall for the
fwauthd.conf change to take effect).

Regards,

Paul.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Nokia I330 and NIC's
Next by Date: [FW1] SecuRemote requires accept fw-1 control connections on v4.1 but not v4.0
Previous by thread: RE: [FW1] Scanning HTTP traffic to non-standard ports
Next by thread: [FW1] Firewall1 and Trend Applet Trap
Index(es):
- Date
- Thread