[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Port Range!!!
Greetings There seems to be some confusion as to how to use port ranges in a firewall policy. Allow me to explain: On the address translation tab, when you right-click on the "services" column, you have the option of Adding/New/Port Range. This is probably NOT what you want to do, unless you plan on translating ranges of ports. The gentleman who said port ranges could only be used in NAT was correct in this sense; you cannot use port ranges (in the sense of a service object defined as a type "port range") in a policy rule. They shouldn't even show up as available services in your rulebase tab. As the other gentleman stated (almost correctly), you can create a new "regular" service <Manage/Services/New/(tcp or udp)> and put "1024-65535" (w/o quotes) in the "port" column, not the "source port range". The Source Port Range (if filled in) tells the FW to only allow traffic that matches on the source port (range) as well as the destination port. There are times when you might need this, but now is probably not one of them. Alternately, you can put >1023 (not 1024 as stated by the other gentleman.) Having said that, there should be predefined services called "TCP-High-Ports" and "UDP-high-ports" which are tcp or udp >1023. They are there on all of my firewalls (4.0 and 4.1) and I know I've never created them. If they're not there on yours, perhaps its a serivce pack issue, or you deleted them once upon a time. Regards jakevil ----- Original Message ----- From: "Kumar, Preet (Exchange)" <[email protected]> To: "'Thomas Borger'" <[email protected]>; <[email protected]> Sent: Tuesday, February 13, 2001 8:42 AM Subject: RE: [FW1] Port Range!!! > > > Create the tcp/udp port range by using the "Port" in the Services->New and > not the "Port Range". You can define the port range as "1024-65535" or > ">1024" > and both would work fine. > > > > -----Original Message----- > From: Thomas Borger [mailto:[email protected]] > Sent: Tuesday, February 13, 2001 7:25 AM > To: [email protected] > Subject: Re: [FW1] Port Range!!! > > > > Hi Kostas, > > At 13:46 13.02.01 +0200, you wrote: > > > >Hello all!!! > >I want to include all high ports in my service field of a rule and although > >I have created the relevant object called high-ports (port range object > >1024-65535), I cannot use it in my rule. > >Do you have any idea on how to overcome this problem and if there is any > >solution on how to open these ports for my implementation. > >thanks in advance, > >Kostas > > Port ranges can only used with NAT! > See SecAdmin.pdf on the Checkpoint-CD page 475 > > best regards > Thomas > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > *********************************************************************** > Bear Stearns is not responsible for any recommendation, solicitation, > offer or agreement or any information about any transaction, customer > account or account activity contained in this communication. > *********************************************************************** > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|