|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Tried to open tcp service port: Reject
Regarding your rule 999: The 99x rules are dummy rule numbers that appear in DCE RPC specific error logs. They indicate that the initial DCE RPC packets were allowed, but something that happened later in the TCP stream did not conform with the correct DCE RPC flow as FireWall-1 understands it. Specifically: rule 998 indicates a client-to-server malformed packet, rule 999 a server-to-client malformed packet and rule 997 that the client tried to switch to a UUID that was not allowed. Regards, Torkel > -----Original Message----- > From: Rakesh Bhatnagar [mailto:[email protected]] > Sent: 22. november 2002 06:12 > To: [email protected] > Subject: Re: [FW-1] Tried to open tcp service port: Reject > > > Hello Mario > Thanks for your response. The second options has helped. My > initial communication has definitely succeeded with this > change. However, I am now facing another problem - certain > requests are being rejected as per rule number 999. I do not > have any rule number 999, still I can see this rule being > logged. Let me try few more things to find out what this rule > # 999 stands for. > > Also, could you please verify if these steps are correct for > creating a service of "other" type (I tried it but did not > seem to have any luck, so I am not sure if I am doing it right): > 1. I am creating a new service where I choose the type "other" > 2. In the "IP Protocol" field, I am typing 17 (as 17 > stands for tcp). > 3. Under Advanced properties, I am typing the Match > string exactly as "dport = 4309" (without double quotes) > > Thanks once again for your help. > > Regards > Rakesh > > > -----Original Message----- > From: CAMUNAS,MARIO (HP-Spain,ex1) [mailto:[email protected]] > Sent: Thursday, November 21, 2002 12:57 AM > To: [email protected] > Subject: Re: [FW-1] Tried to open tcp service port: Reject > > > Hello: > > You can try two different things: > > 1) Define the service as other instead as TCP, > recompile the policy > ans install it. In this way checkpoint shouldn´t treat the > connection as TCP > an you will be able to connect to the server. > > 2) Add this line in the file /etc/fw/lib/base.def > > #define NO_SERVER_PORT_CHECK > before this line > #ifndef NO_SERVER_PORT_CHECK > > (this is the syntax for NG FP2 I don´t know which is the exact > syntax for FP3,I suppose is the same) > > recompile the policy, install it and try. > > I hope this help. > > Regards, > Mario. > > -----Original Message----- > From: Rakesh Bhatnagar [mailto:[email protected]] > Sent: Thursday, November 21, 2002 8:39 AM > To: [email protected] > Subject: [FW-1] Tried to open tcp service port: Reject > > > Hi > > We are running NG-FP3 and are having a situation as follows: > We have a client (outside firewall) which connects to a host > (inside the > firewall) on a particular TCP port (say 5403). In response, > the internal > host is supposed to provide a specific TCP port number (say > 4309) to the > client and then client is supposed to connect back to the > host on port 4309 > for further communication. I have created "Service" objects with port > numbers 5403 and 4309 and the corresponding rules as well > (One rule for > Outside client to internal host via port # 5403 or 4309, and > another rule > for internal host to outside client via any port). > > When I check in the log, I see that the request has been > rejected with the > following information: > Interface: <Name of LAN side interface> > Type: Log > Action: Reject > Information: Reason: Tried to open a known service request > Protocol: TCP > > As a result, the internal host is not able to pass the port > number (4309) > information to outside client. The communication is rejected by the > firewall. And hence, the client never receives the port > > As I can understand, since the internal host is trying to > pass port number > 4309 to the client, but this port is defined as a service > port, which means > that the internal host is supposed to listen on this port rather than > connecting through this port, hence I am getting this > communication failure. > > My question is what can I do to have the internal host > connect via port > number 4309. I have found a document http://www.phoneboy.com/faq/0106.html ) similar to the problem that I am facing, but I couldn't use it for NG. Does anybody have an idea what can I do to resolve this issue. Your help is highly appreciated. Thanks Rakesh ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
