| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] AW: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp se rvice port, port XYZ
- To: [email protected]
- Subject: [FW-1] AW: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp se rvice port, port XYZ
- From: "Schaar, Norbert" <[email protected]>
- Date: Wed, 15 May 2002 19:43:35 +0200
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Well, in 4.1 you can simply change the appropriate lines of the server port
check to
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0,
set sr12 p,
set sr1 0, log bad_conn)
)
};
and will get the effect. This is well known and already distributed to some
knowledge bases (CP, Nokia) and FAQs (Phoneboy).
-----Ursprüngliche Nachricht-----
Von: Torkel Mathisen [mailto:[email protected]]
Gesendet: Dienstag, 14. Mai 2002 09:27
An: [email protected]
Betreff: Re: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp se
rvice port, port XYZ
Hi
How do you fix this problem in 4.1? Same way?
Regards,
Torkel
> -----Original Message-----
> From: Schaar, Norbert [mailto:[email protected]]
> Sent: 13. mai 2002 18:16
> To: [email protected]
> Subject: [FW-1] AW: [FW-1] NG: ftp reject: reason tried to open tcp
> service port, port XYZ
>
>
> Of course, there is a way to change this behaviour even under NG but
> it will disable the port check functionality of all ftp data
> connections, don't know
> if this is really what you want. However, Check Point is
> suggesting not to
> do base.def changes in NG anymore but to call the technical
> Service instead.
> This should be the path to go, I think and, therefore, you
> didnÄt find any
> hint.
> Well, the way FW-1 does this "dangerous port check" was
> seriously changed
> with NG FP2. The appropriate function definitions consists of
> new kernel
> function calls and when you change the wrong part, you will
> loose ALL ftp
> data connectivity...
> If you don't be afraid about that, go to the FTP macro
> definition part in
> base.def, find the NOTSERVER_TCP_PORT function (should be
> there two times)
> and replace the segment register there with a port number of
> you choice that
> will never be used as a service. This will do the trick but,
> again, I would
> stay away from that for support and security reasons.
>
> -----Ursprüngliche Nachricht-----
> Von: egonle [mailto:[email protected]]
> Gesendet: Montag, 13. Mai 2002 09:14
> An: [email protected]
> Betreff: [FW-1] NG: ftp reject: reason tried to open tcp service port,
> port XYZ
>
>
> Hi,
>
> after upgrading our NG management server, v4.1SP5 modules reject
> different ftp session with the following info message:
> reason: tried to open tcp service port, port XYZ
>
> There's a secureknowledge document regarding this issue for the v4.1
> management server however I didn't find any hint how to change this
> behaviour for NG. Anyone else?
>
> Regards,
> Egonle.
>
> __________________________________________________________________
> Nur bei Netscape: Ihr KOSTENLOSER Netscape WebMail-Account und der
> Instant Messenger unter http://www.netscape.de
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
