[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] "tried to open tcp service port" revisited!
I have a customer with the same problem. The problem came about while they were running 4.1 and still persists now that the firewall (standalone module & management) has been upgraded to NG FP-1. We have opened a ticket with CheckPoint support and it has been escalated all the way to support in Israel. After sending them cpinfo output, fw monitor output, and fw tab output from the firewall while attempting the ftp, we were sent a modification to base.def which should have fixed the problem. It did not. We are now in the process of collecting more data for analysis. Unfortunately, this has taken a "back-burner" with my customer, as they have many other pressing projects at the moment. This is the information I received regarding the ftp port restriction and passive-vs-active: The difference between passive and active is that passive is always two random ports - one on the client and one on the server. Active is only one random port - only on the client because the server will answer on port 21. So basically, the problem can happen on both passive and active. The chance for it to hit a "known" port is higher on passive since every data connection is two random ports as explained above. The FTP server works in the standard mode listening on port 21. The reason you thought it was opening data connection from random, non standard, ports was because the client you used was probably a software client (ws_ftp, bullet proof, etc)rather then command line. Usually the default of theses software is PASV rather then ACTIVE. When using ACTIVE the client asks the ftp server to open the connection on a random port on the client (for the data connection). The server will then open a connection from port 20 to the port the client asked for. When using PASV the client issues the PASV command and the server answers with a port number (random, not 20)for the client to open on the server (for the data connection). In this case the client will open a connection with a random source port to a the random port the server indicated before. When you're transferring many files with the software client (usually to update servers with many files-hhtp,ftp,etc) sometimes the client or server hit a random port which is a reserved port i.e. a port number that's defined in the firewall as a service. In the fw monitor you sent you first transferred many files but the last one the server asked the client to open on the server port 18191 (for the data connection). The firewall didn't forwarded this packet since port 18191 is reserved for the firewall daemon CPD. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Andy Herrero Sent: Thursday, April 18, 2002 9:19 AM To: [email protected] Subject: [FW-1] "tried to open tcp service port" revisited! Hi guys! I have run into a problem for the second time which requires your swift responses. Software Versions: Management Station: FW-1 NG FP1 (recently upgraded) Enforcement Point: FW-1 4.1 SP4 (soon to be upgraded) I'm getting a lot of drops in my logs referring to FTP-connections initiated from the outside, which are dropped with the following data in the Info field: "reason: tried to open tcp service port, port: <ServiceName>" I have come up against this earlier, and that time I saw the solution on PhoneBoy's FAQ (http://www.phoneboy.com/faq/0106.html). However, i'm using the same unchanged base.def definition with the modified sections (I've commented out all the references to the NOTSERVER_TCP_PORT functions). After I modified the base.def file, I restarted the FW-module in order for the base.def changes to make effect (I guess that's what's required) but it's still *not* working!!! The problem occurs when one of our customers upload many thousand files to the FTP-server we're hosting and yes, they're using active FTP. Why would the FW-module block these data-connections since they're not initiated from the inside (and outwards) but from the outside (and inwards). The internal machines are able to initiate connections to almost any kind of external service, so I really can't understand why FW-1 would block that connection just because it uses the same port-number as a defined service-object. Questions: 1) What can I do to try and troubleshoot/solve this issue? 2) Is the base.def in any way distributed to the enforcement points? With kind regards, -- Andy ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|