[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Tried to open tcp service port: Reject



Hello Mario
Thanks for your response. The second options has helped. My initial communication has definitely succeeded with this change. However, I am now facing another problem - certain requests are being rejected as per rule number 999. I do not have any rule number 999, still I can see this rule being logged. Let me try few more things to find out what this rule # 999 stands for.

Also, could you please verify if these steps are correct for creating a service of "other" type (I tried it but did not seem to have any luck, so I am not sure if I am doing it right):
        1. I am creating a new service where I choose the type "other"
        2. In the "IP Protocol" field, I am typing 17 (as 17 stands for tcp).
        3. Under Advanced properties, I am typing the Match string exactly as "dport = 4309" (without double quotes)

Thanks once again for your help.

Regards
Rakesh


-----Original Message-----
From: CAMUNAS,MARIO (HP-Spain,ex1) [mailto:[email protected]]
Sent: Thursday, November 21, 2002 12:57 AM
To: [email protected]
Subject: Re: [FW-1] Tried to open tcp service port: Reject


Hello:

        You can try two different things:

        1) Define the service as other instead as TCP, recompile the policy
ans install it. In this way checkpoint shouldn�t treat the connection as TCP
an you will be able to connect to the server.

        2) Add this line in the file /etc/fw/lib/base.def

                #define NO_SERVER_PORT_CHECK
before this line
                #ifndef NO_SERVER_PORT_CHECK

        (this is the syntax for NG FP2 I don�t know which is the exact
syntax for FP3,I suppose is the same)

        recompile the policy, install it and try.

I hope this help.

Regards,
Mario.

-----Original Message-----
From: Rakesh Bhatnagar [mailto:[email protected]]
Sent: Thursday, November 21, 2002 8:39 AM
To: [email protected]
Subject: [FW-1] Tried to open tcp service port: Reject


Hi

We are running NG-FP3 and are having a situation as follows:
We have a client (outside firewall) which connects to a host (inside the
firewall) on a particular TCP port (say 5403). In response, the internal
host is supposed  to provide a specific TCP port number (say 4309) to the
client and then client is supposed to connect back to the host on port 4309
for further communication. I have created "Service" objects with port
numbers 5403 and 4309 and the corresponding rules as well (One rule for
Outside client to internal host via port # 5403 or 4309, and another rule
for internal host to outside client via any port).

When I check in the log, I see that the request has been rejected with the
following information:
        Interface: <Name of LAN side interface>
        Type:           Log
        Action: Reject
        Information: Reason: Tried to open a known service request
                        Protocol: TCP

As a result, the internal host is not able to pass the port number (4309)
information to outside client. The communication is rejected by the
firewall. And hence, the client never receives the port

As I can understand, since the internal host is trying to pass port number
4309 to the client, but this port is defined as a service port, which means
that the internal host is supposed to listen on this port rather than
connecting through this port, hence I am getting this communication failure.

My question is what can I do to have the internal host connect via port
number 4309. I have found a document http://www.phoneboy.com/faq/0106.html )
similar to the problem that I am facing, but I couldn't use it for NG. Does
anybody have an idea what can I do to resolve this issue.

Your help is highly appreciated.

Thanks
Rakesh

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================