Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] "tried to open tcp service port" revisited!

To: [email protected]
Subject: [FW-1] "tried to open tcp service port" revisited!
From: Andy Herrero <[email protected]>
Date: Thu, 18 Apr 2002 16:18:55 +0200
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi guys!

I have run into a problem for the second time which requires your swift
responses.

Software Versions:
Management Station: FW-1 NG FP1 (recently upgraded)
Enforcement Point: FW-1 4.1 SP4 (soon to be upgraded)

I'm getting a lot of drops in my logs referring to FTP-connections
initiated from the outside, which are dropped with the following data in
the Info field:

"reason: tried to open tcp service port, port: <ServiceName>"

I have come up against this earlier, and that time I saw the solution on
PhoneBoy's FAQ (http://www.phoneboy.com/faq/0106.html).
However, i'm using the same unchanged base.def definition with the modified
sections (I've commented out all the references to the NOTSERVER_TCP_PORT
functions).

After I modified the base.def file, I restarted the FW-module in order for
the base.def changes to make effect (I guess that's what's required) but
it's still *not* working!!!

The problem occurs when one of our customers upload many thousand files to
the FTP-server we're hosting and yes, they're using active FTP. Why would
the FW-module block these data-connections since they're not initiated from
the inside (and outwards) but from the outside (and inwards). The internal
machines are able to initiate connections to almost any kind of external
service, so I really can't understand why FW-1 would block that connection
just because it uses the same port-number as a defined service-object.

Questions:

1) What can I do to try and troubleshoot/solve this issue?

2) Is the base.def in any way distributed to the enforcement points?

With kind regards,

-- Andy

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] "tried to open tcp service port" revisited!
  - From: "John A. Sims" <[email protected]>

Prev by Date: [FW-1] Nokia - in.ahttpd proxy performance - very slow
Next by Date: [FW-1] Licensing
Previous by thread: [FW-1] Nokia - in.ahttpd proxy performance - very slow
Next by thread: Re: [FW-1] "tried to open tcp service port" revisited!
Index(es):
- Date
- Thread