Normally CP allows the ftp command session (port
21) and monitors it to see how the data session will be estabished:
PASSIVE(client initated data
session) source port 20 and destination port >=1024
ACTIVE(server initiated
data session) source port 20 and destination port >=1024.
From this CP will allow the data connection.
Likewise the host machine looks at this and listen on the correct port for
the incoming connection.
However, in this environment the command session
moved into an SSL mode so that the command and all the data sessions were
encrypted.
Initially CP accepted the command session (and
this is reported in the log), but as it could not 'inspect' the command session,
it blocked all data sessions.
To get round this I created a new 'primitive'
service SecureFTP: TCP port 21
The FTP Client was configured to only
make PASSIVE mode data sessions (i.e. the client initiates the
connection).
From this I created a rule: src X, dst Y,
service SecureFTP and TCPHighPorts
When this FTP connection matches it allows the
command session.
Subsequent data sessions are allowed with the
TCPHighPorts
The concern here is that all TCPHighPorts are
open between src X and dst Y.
This means that any hacker/virus/trojan could
probe though on high ports, but at least you can be explicit as to the source
and destinations.
INSPECT code could be written which would only
allow the src X, dst Y service TCPHighPort if a srcX, dstY service SecureFTP
existed.
Derin
NOTE1: Just using the rule srcX, dstY, service
FTP and TCPHighPorts did not work! I can only assume that the default FTP
service is monitoring more of the structureb before it allows the
connection.
NOTE2: Matching with a service ANY will always
use the default FTP service.
"Gil, Ruben"
wrote:
>
>
Hello,
>
> Some of
my ftp connections are refused by the firewall NG FP2. I
> can see in
the log the following
message:
>
>
"reason tried to open a known service port, port 6527 protocol
>
tcp"
>
> I know
how to repair in fw-1 4.1, but I donÂt know how to do it
> in NG
FP2.
http://www.phoneboy.com/fom/fom.pl?_highlightWords=range&file=406
--
Crist
J.
Clark
[email protected]
Globalstar
Communications
The information contained in this e-mail message is
confidential,
intended only for the use of the individual or entity named
above.
If the reader of this e-mail is not the intended recipient, or
the
employee or agent responsible to deliver it to the intended
recipient,
you are hereby notified that any review, dissemination,
distribution or
copying of this communication is strictly prohibited.
If you have
received this e-mail in error, please contact
[email protected]
=================================================
To
set vacation, Out Of Office, or away messages,
send an email to
[email protected]
in the BODY of the email add:
set
fw-1-mailinglist
nomail
=================================================
To unsubscribe
from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If
you have any questions on how to change your
subscription options,
email
[email protected]
=================================================
