From: Charalambos Klitiropoulos <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Firewall dropping packets
Date: Fri, 30 Dec 2005 00:02:21 +0200
A client of mine had the same problem and I had to investigate it. It is
one
of the checks that FW-1 performs on FTP sessions (although it doesn't
matter
if you actually have an FTP server behind your firewall). As you probably
know there is an attack for (old) FTP servers where someone could open a
connection to a third server by issuing a false PORT command. FW-1 does not
allow connections to TCP ports for which a TCP service object exists, the
logic being that 'if there is an object defined for that port, it is likely
that an internal server exists that listens to that port'. One had to edit
the base.def file in old versions, but since Check Point introduced
SmartDefense they included the ability to tweak this setting through
SmartDashboard.
On 24/12/05, Ray <[EMAIL PROTECTED]> wrote:
>
> Yeah, it's a weird message for sure. "tried to open a known service
port"
> -
> Near as I can figure, if you have a service defined as using a specific
> port, something trying to connect to that port will trip this block. It
> may
> have been a relevant defense tactic when firewalls only had a few ports
> defined, but it sure causes problems now for everything above 1023.
>
> We hit it when we were using Outlook through FW-1. It uses random high
> ports
> to communicate with Exchange. We would keep seeing this drop
> intermittently
> in the logs when Outlook picked a random port that was defined as a
> service
> on the firewall.
>
> I suspect Lindsay is correct; this is a protection that got moved into
> SmartDefense when it originally wasn't there.
>
> Ray
>
> >From: Lindsay Hill <[EMAIL PROTECTED]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Firewall dropping packets
> >Date: Fri, 23 Dec 2005 17:26:13 +0000
> >
> >Doesn't matter what your logs say they were generated by, Ray's
solution
> >is the correct one. It is SmartDefense. It may not say that, since
that
> >particular protection/setting has been around for a while, possibly
> (can't
> >quite remember) from before SmartDefense was called that.
> >
> >
> >On 23 Dec 2005, at 13:15, Tauseef Khan wrote:
> >
> >>Thanks Ray
> >>
> >>That's definitely helped, but quite surprisingly these logs weren't
> >>generated by smartdefense, rather they were generated
> by VPN1&Firewall1.
> >>Any ideas.
> >>
> >>Kind regards
> >>Tauseef
> >>
> >>-----Original Message-----
> >>From: Mailing list for discussion of Firewall-1
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Ray
> >>Sent: 22 December 2005 19:33
> >>To: [email protected]
> >>Subject: Re: [FW-1] Firewall dropping packets
> >>
> >>
> >>It's a SmartDefense drop. You have to change SmartDefense to allow
> >>connections to all ports,
> >>
> >>Network Security
> >>Dynamic Ports
> >>Select the top radio button
> >>
> >>Ray
> >>
> >>>From: Tauseef Khan <[EMAIL PROTECTED]>
> >>>Reply-To: Mailing list for discussion of Firewall-1
> >>><[email protected]>
> >>>To: [email protected]
> >>>Subject: [FW-1] Firewall dropping packets
> >>>Date: Thu, 22 Dec 2005 15:45:48 -0000
> >>>
> >>>I am getting the following error message in the firewall logs with no
> >>>rule number against that. Any ideas.
> >>>
> >>>"reason: tried to open a known service port,;protocol:tcp; port_svc:
> >>>ICKiller"
> >>>
> >>>
> >>>Kind regrads
> >>>
> >>>
> >>>
> >>>*************************************************
> >>>For addressee only. No legally binding commitments will be created by
> >>>this
> >>>e-mail message. Where we intend to create legally binding commitments
> >>these
> >>>will be made through hard copy correspondence or documents.
> >>>
> >>>3i Investments plc
> >>>Registered office: 91 Waterloo Road
> >>> London SE1 8XP
> >>>Registered no:3975789
> >>>Authorised and Regulated by the Financial Services Authority
> >>>
> >>>If you are not the intended recipient it may be unlawful for you to
> >>>read,
> >>>copy, distribute, disclose or otherwise use the information in this
> >>e-mail.
> >>>If you are not the intended recipient please contact us immediately.
> >>E-mail
> >>>may be susceptible to data corruption, interception and unauthorised
> >>>amendment, and we do not accept liability for any such corruption,
> >>>interception or amendment or the consequences thereof.
> >>>
> >>>3i is committed to following policies which protect your privacy and
> >>>comply
> >>>with current international data protection laws and regulations in
> >>respect
> >>>of personal data. Further details of these policies can be found at
> >>>www.3i.com.
> >>>*************************************************
> >>>
> >>>
> >>>=================================================
> >>>To set vacation, Out-Of-Office, or away messages,
> >>>send an email to [EMAIL PROTECTED]
> >>>in the BODY of the email add:
> >>>set fw-1-mailinglist nomail
> >>>=================================================
> >>>To unsubscribe from this mailing list,
> >>>please see the instructions at
> >>>http://www.checkpoint.com/services/mailing.html
> >>>=================================================
> >>>If you have any questions on how to change your
> >>>subscription options, email
> >>>[EMAIL PROTECTED]
> >>>=================================================
> >>
> >>=================================================
> >>To set vacation, Out-Of-Office, or away messages,
> >>send an email to [EMAIL PROTECTED]
> >>in the BODY of the email add:
> >>set fw-1-mailinglist nomail
> >>=================================================
> >>To unsubscribe from this mailing list,
> >>please see the instructions at
> >>http://www.checkpoint.com/services/mailing.html
> >>=================================================
> >>If you have any questions on how to change your
> >>subscription options, email
> >>[EMAIL PROTECTED]
> >>=================================================
> >>
> >>
> >>*************************************************
> >>For addressee only. No legally binding commitments will be created by
> >>this e-mail message. Where we intend to create legally binding
> >>commitments these will be made through hard copy correspondence or
> >>documents.
> >>
> >>3i Investments plc
> >>Registered office: 91 Waterloo Road
> >> London SE1 8XP
> >>Registered no:3975789
> >>Authorised and Regulated by the Financial Services Authority
> >>
> >>If you are not the intended recipient it may be unlawful for you
> to read,
> >>copy, distribute, disclose or otherwise use the information in this
> >>e-mail. If you are not the intended recipient please contact us
> >>immediately. E-mail may be susceptible to data corruption,
interception
> >>and unauthorised amendment, and we do not accept liability for any
such
> >>corruption, interception or amendment or the consequences thereof.
> >>
> >>3i is committed to following policies which protect your privacy and
> >>comply with current international data protection laws and
regulations
> in
> >>respect of personal data. Further details of these policies can be
> found
> >>at www.3i.com.
> >>*************************************************
> >>
> >>=================================================
> >>To set vacation, Out-Of-Office, or away messages,
> >>send an email to [EMAIL PROTECTED]
> >>in the BODY of the email add:
> >>set fw-1-mailinglist nomail
> >>=================================================
> >>To unsubscribe from this mailing list,
> >>please see the instructions at
> >>http://www.checkpoint.com/services/mailing.html
> >>=================================================
> >>If you have any questions on how to change your
> >>subscription options, email
> >>[EMAIL PROTECTED]
> >>=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
