| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] AW: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp se rvice port, port XYZ
- To: [email protected]
- Subject: [FW-1] AW: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp se rvice port, port XYZ
- From: "Schaar, Norbert" <[email protected]>
- Date: Wed, 15 May 2002 19:36:19 +0200
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Well, I've tried to avoid that because this list is open to everyone and I
don't know if really everybody understands the implications such changes
will have. First, you have to change a file which carries basic definitions
from the vendor (and by the way, you have to track such changes and repeat
it always when going to apply service or feature packs). Second, you have to
do this changes with a good editor (I would suggest "vi" of course) wihout
making failures. Otherwise your Policy will never compile anymore or you
disable security functions of your firewall. And third, you will do a
deliberate deactivation of the server port check of Check Point.
However, here you are:
Go in your base.def file (of course make a backup copy before) and just look
for the following two funktion definitions:
#define ftp_intercept_port(oneway) and #define ftp_intercept_pasv(oneway).
There you should find the sub-function call NOTSERVER_TCP_PORT(sr1) which is
defined a couple of lines before. The "sr2" means that this function gets
the value of segment register 1 that was filled with the server port value
right the line above [set sr1 FTPPORT(FTPPORT_MATCH)]. And this is the point
you have the problem with. So simply change this line
from
NOTSERVER_TCP_PORT(sr1)
To
NOTSERVER_TCP_PORT(65535).
This will disable the port check in the sense that FW-1 always believes the
server port 65535 (just an example of a very likely unused port) is the one
to check and will never drop or reject it.
That's it in NG FP2.
-----Ursprüngliche Nachricht-----
Von: Sadir Al-khafaji [mailto:[email protected]]
Gesendet: Dienstag, 14. Mai 2002 09:39
An: [email protected]
Betreff: Re: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp
service port, port XYZ
could you please be more precise please .
Schaar, Norbert wrote:
> Of course, there is a way to change this behaviour even under NG but
> it will disable the port check functionality of all ftp data
> connections, don't know if this is really what you want. However,
> Check Point is suggesting not to do base.def changes in NG anymore but
> to call the technical Service instead. This should be the path to go,
> I think and, therefore, you didnÄt find any hint. Well, the way FW-1
> does this "dangerous port check" was seriously changed with NG FP2.
> The appropriate function definitions consists of new kernel function
> calls and when you change the wrong part, you will loose ALL ftp data
> connectivity... If you don't be afraid about that, go to the FTP macro
> definition part in base.def, find the NOTSERVER_TCP_PORT function
> (should be there two times) and replace the segment register there
> with a port number of you choice that will never be used as a service.
> This will do the trick but, again, I would stay away from that for
> support and security reasons.
>
> -----Ursprüngliche Nachricht-----
> Von: egonle [mailto:[email protected]]
> Gesendet: Montag, 13. Mai 2002 09:14
> An: [email protected]
> Betreff: [FW-1] NG: ftp reject: reason tried to open tcp service port,
> port XYZ
>
>
> Hi,
>
> after upgrading our NG management server, v4.1SP5 modules reject
> different ftp session with the following info message:
> reason: tried to open tcp service port, port XYZ
>
> There's a secureknowledge document regarding this issue for the v4.1
> management server however I didn't find any hint how to change this
> behaviour for NG. Anyone else?
>
> Regards,
> Egonle.
>
> __________________________________________________________________
> Nur bei Netscape: Ihr KOSTENLOSER Netscape WebMail-Account und der
> Instant Messenger unter http://www.netscape.de
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
