From: Charalambos Klitiropoulos <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Firewall dropping packets
Date: Fri, 30 Dec 2005 02:07:11 +0200
Yes, that's the one. For the record, my client had a server in one of his
DMZs that communicated with an internal server using RPC and dynamically
assigned ports. When the two systems chose a port such as TCP/3389
(Terminal
Services) or other high port that was used in a service object the firewall
would deny the connection. After doing a quick search in CP's knowledge
base
I found Solution ID #sk21018. Here is what it says:
Symptoms
- Error: "Tried to open tcp service port: <service name>" in SmartView
Tracker
- File Transfer Protocol (FTP) connections are being dropped on rule
zero (0)
- Remote Shell (RSH) connections are being dropped on rule zero (0)
- Other services/protocols connections are being dropped on rule zero
(0)
Cause The "data connection" of the attempted connection is
trying
to use a port from the predefined list of VPN-1/FireWall-1 services.
Solution 1) Log into SmartDashboard.
2) Click on the SmartDefense Policy Tab.
3) In the left pane, click to open "Network Security".
4) Under "Network Security" click on "Dynamic Ports".
5) In the right pane click to check (enable) "Block data connections on low
ports" and click the radio button to enable "Allow data connections to all
defined services' ports".
6) Install the policy. Applies To:
- VPN-1/FireWall-1 NG with Application Intelligence R54 & R55
- SmartDefense
- Any service where there is a dynamic data connection
On 30/12/05, Ray <[EMAIL PROTECTED]> wrote:
>
> Are you thinking of the FTP Bounce attack? That protection is one of the
> ones in SmartDefense that cannot be disabled (as I recall). Seems t0 ne
> it's
> a defect in the FTP protocol, so if you have something that follows the
> protocol, then you are susceptible.
>
> Ray
>
> >From: Charalambos Klitiropoulos <[EMAIL PROTECTED]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Firewall dropping packets
> >Date: Fri, 30 Dec 2005 00:02:21 +0200
> >
> >A client of mine had the same problem and I had to investigate it. It
is
> >one
> >of the checks that FW-1 performs on FTP sessions (although it doesn't
> >matter
> >if you actually have an FTP server behind your firewall). As you
probably
> >know there is an attack for (old) FTP servers where someone could open
a
> >connection to a third server by issuing a false PORT command. FW-1 does
> not
> >allow connections to TCP ports for which a TCP service object exists,
the
> >logic being that 'if there is an object defined for that port, it is
> likely
> >that an internal server exists that listens to that port'. One had to
> edit
> >the base.def file in old versions, but since Check Point introduced
> >SmartDefense they included the ability to tweak this setting through
> >SmartDashboard.
> >
> >On 24/12/05, Ray <[EMAIL PROTECTED]> wrote:
> > >
> > > Yeah, it's a weird message for sure. "tried to open a known service
> >port"
> > > -
> > > Near as I can figure, if you have a service defined as using a
> specific
> > > port, something trying to connect to that port will trip this block.
> It
> > > may
> > > have been a relevant defense tactic when firewalls only had a few
> ports
> > > defined, but it sure causes problems now for everything above 1023.
> > >
> > > We hit it when we were using Outlook through FW-1. It uses random
high
> > > ports
> > > to communicate with Exchange. We would keep seeing this drop
> > > intermittently
> > > in the logs when Outlook picked a random port that was defined as a
> > > service
> > > on the firewall.
> > >
> > > I suspect Lindsay is correct; this is a protection that got moved
into
> > > SmartDefense when it originally wasn't there.
> > >
> > > Ray
> > >
> > > >From: Lindsay Hill <[EMAIL PROTECTED]>
> > > >Reply-To: Mailing list for discussion of Firewall-1
> > > ><[email protected]>
> > > >To: [email protected]
> > > >Subject: Re: [FW-1] Firewall dropping packets
> > > >Date: Fri, 23 Dec 2005 17:26:13 +0000
> > > >
> > > >Doesn't matter what your logs say they were generated by, Ray's
> >solution
> > > >is the correct one. It is SmartDefense. It may not say that, since
> >that
> > > >particular protection/setting has been around for a while,
possibly
> > > (can't
> > > >quite remember) from before SmartDefense was called that.
> > > >
> > > >
> > > >On 23 Dec 2005, at 13:15, Tauseef Khan wrote:
> > > >
> > > >>Thanks Ray
> > > >>
> > > >>That's definitely helped, but quite surprisingly these logs
weren't
> > > >>generated by smartdefense, rather they were generated
> > > by VPN1&Firewall1.
> > > >>Any ideas.
> > > >>
> > > >>Kind regards
> > > >>Tauseef
> > > >>
> > > >>-----Original Message-----
> > > >>From: Mailing list for discussion of Firewall-1
> > > >>[mailto:[EMAIL PROTECTED] On Behalf Of
Ray
> > > >>Sent: 22 December 2005 19:33
> > > >>To: [email protected]
> > > >>Subject: Re: [FW-1] Firewall dropping packets
> > > >>
> > > >>
> > > >>It's a SmartDefense drop. You have to change SmartDefense to allow
> > > >>connections to all ports,
> > > >>
> > > >>Network Security
> > > >>Dynamic Ports
> > > >>Select the top radio button
> > > >>
> > > >>Ray
> > > >>
> > > >>>From: Tauseef Khan <[EMAIL PROTECTED]>
> > > >>>Reply-To: Mailing list for discussion of Firewall-1
> > > >>><[email protected]>
> > > >>>To: [email protected]
> > > >>>Subject: [FW-1] Firewall dropping packets
> > > >>>Date: Thu, 22 Dec 2005 15:45:48 -0000
> > > >>>
> > > >>>I am getting the following error message in the firewall logs
with
> no
> > > >>>rule number against that. Any ideas.
> > > >>>
> > > >>>"reason: tried to open a known service port,;protocol:tcp;
> port_svc:
> > > >>>ICKiller"
> > > >>>
> > > >>>
> > > >>>Kind regrads
> > > >>>
> > > >>>
> > > >>>
> > > >>>*************************************************
> > > >>>For addressee only. No legally binding commitments will be
created
> by
> > > >>>this
> > > >>>e-mail message. Where we intend to create legally binding
> commitments
> > > >>these
> > > >>>will be made through hard copy correspondence or documents.
> > > >>>
> > > >>>3i Investments plc
> > > >>>Registered office: 91 Waterloo Road
> > > >>> London SE1 8XP
> > > >>>Registered no:3975789
> > > >>>Authorised and Regulated by the Financial Services Authority
> > > >>>
> > > >>>If you are not the intended recipient it may be unlawful for you
to
> > > >>>read,
> > > >>>copy, distribute, disclose or otherwise use the information in
this
> > > >>e-mail.
> > > >>>If you are not the intended recipient please contact us
> immediately.
> > > >>E-mail
> > > >>>may be susceptible to data corruption, interception and
> unauthorised
> > > >>>amendment, and we do not accept liability for any such
corruption,
> > > >>>interception or amendment or the consequences thereof.
> > > >>>
> > > >>>3i is committed to following policies which protect your privacy
> and
> > > >>>comply
> > > >>>with current international data protection laws and regulations
in
> > > >>respect
> > > >>>of personal data. Further details of these policies can be found
at
> > > >>>www.3i.com.
> > > >>>*************************************************
> > > >>>
> > > >>>
> > > >>>=================================================
> > > >>>To set vacation, Out-Of-Office, or away messages,
> > > >>>send an email to [EMAIL PROTECTED]
> > > >>>in the BODY of the email add:
> > > >>>set fw-1-mailinglist nomail
> > > >>>=================================================
> > > >>>To unsubscribe from this mailing list,
> > > >>>please see the instructions at
> > > >>>http://www.checkpoint.com/services/mailing.html
> > > >>>=================================================
> > > >>>If you have any questions on how to change your
> > > >>>subscription options, email
> > > >>>[EMAIL PROTECTED]
> > > >>>=================================================
> > > >>
> > > >>=================================================
> > > >>To set vacation, Out-Of-Office, or away messages,
> > > >>send an email to [EMAIL PROTECTED]
> > > >>in the BODY of the email add:
> > > >>set fw-1-mailinglist nomail
> > > >>=================================================
> > > >>To unsubscribe from this mailing list,
> > > >>please see the instructions at
> > > >>http://www.checkpoint.com/services/mailing.html
> > > >>=================================================
> > > >>If you have any questions on how to change your
> > > >>subscription options, email
> > > >>[EMAIL PROTECTED]
> > > >>=================================================
> > > >>
> > > >>
> > > >>*************************************************
> > > >>For addressee only. No legally binding commitments will be
> created by
> > > >>this e-mail message. Where we intend to create legally binding
> > > >>commitments these will be made through hard copy correspondence or
> > > >>documents.
> > > >>
> > > >>3i Investments plc
> > > >>Registered office: 91 Waterloo Road
> > > >> London SE1 8XP
> > > >>Registered no:3975789
> > > >>Authorised and Regulated by the Financial Services Authority
> > > >>
> > > >>If you are not the intended recipient it may be unlawful for you
> > > to read,
> > > >>copy, distribute, disclose or otherwise use the information in
this
> > > >>e-mail. If you are not the intended recipient please contact us
> > > >>immediately. E-mail may be susceptible to data corruption,
> >interception
> > > >>and unauthorised amendment, and we do not accept liability for
any
> >such
> > > >>corruption, interception or amendment or the consequences
thereof.
> > > >>
> > > >>3i is committed to following policies which protect your
> privacy and
> > > >>comply with current international data protection laws and
> >regulations
> > > in
> > > >>respect of personal data. Further details of these policies can
be
> > > found
> > > >>at www.3i.com.
> > > >>*************************************************
> > > >>
> > > >>=================================================
> > > >>To set vacation, Out-Of-Office, or away messages,
> > > >>send an email to [EMAIL PROTECTED]
> > > >>in the BODY of the email add:
> > > >>set fw-1-mailinglist nomail
> > > >>=================================================
> > > >>To unsubscribe from this mailing list,
> > > >>please see the instructions at
> > > >>http://www.checkpoint.com/services/mailing.html
> > > >>=================================================
> > > >>If you have any questions on how to change your
> > > >>subscription options, email
> > > >>[EMAIL PROTECTED]
> > > >>=================================================
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to [EMAIL PROTECTED]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[EMAIL PROTECTED]
> > > >=================================================
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
