Ok, I've figured it out. In NGx, it is under SmartDefense, dynamic ports. In NG with AI R55, it is listed under "port scan" and "dynamic ports" is a sub-section of port scan. Everything is working now.
Ray <[EMAIL PROTECTED]> wrote: I'm not familiar with how you set SmartDefense to just block "known ports" for FTP only. Usually it's a global setting where "known ports" means "any service that is defined in FW-1, regardless of what it is". Where do you set that up? What are you trying to accomplish? I've used the FTP security server to allow FTP downloads but block all except a group from performing FTP uploads. Ray >From: cisco4ng >Reply-To: Mailing list for discussion of Firewall-1 > >To: [email protected] >Subject: [FW-1] SmartDefense and FTP blocking "known ports" >Date: Sat, 11 Aug 2007 05:58:28 -0700 > >Redhat_VSFTPD_Server---CP_FW---Gentoo_Linux_Client > > The checkpoint firewall is running IPSO 4.1 build 33 >with NGx R61 with HFA_02. It is being managed by >a Provider-1 (SPLAT) NGx R61 with HFA_02. There is >no NAT on the firewall, just routing. > > I enable SmartDefense on the CMA to block all known >ports for FTP. I have a very simple rule: > > Any Any FTP accept log > > On the FTP Server, I modified the vsftpd.conf >file to allow passive mode and specify the passive >range between 1520 and 1800. After that, I >restarted the vsftpd daemon (service vsftpd restart). > > Now from the gentoo linux client, I perform ftp >connection (ftp 192.168.15.10) to the ftp server >with a valid account on the ftp server: > > Gen2Linux ~ # cd /tmp >Gen2Linux tmp # ftp 192.168.15.10 >Connected to 192.168.15.10 (192.168.15.10). >220 (vsFTPd 1.2.0) >Name (192.168.15.10:root): admin >530 Please login with USER and PASS. >SSL not available >331 Please specify the password. >Password: >230 Login successful. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> bin >200 Switching to Binary mode. >ftp> prompt >Interactive mode off. >ftp> hash >Hash mark printing on (1024 bytes/hash mark). >ftp> passive >Passive mode on. >ftp> ls >227 Entering Passive Mode (192,168,15,10,6,16) >150 Here comes the directory listing. >drwxr-xr-x 8 501 501 4096 Jul 04 04:23 Service >-rw-r--r-- 1 501 501 37918648 Jul 03 21:34 ipso371build020.tgz >drwxr-xr-x 4 501 501 4096 Jul 04 03:53 replica_package >226 Directory send OK. >ftp> > On the FTP Server, this is what I am seeing: > > [EMAIL PROTECTED] root]# tcpdump -i eth0 -n host 198.147.14.60 >tcpdump: listening on eth0 >09:52:05.917006 198.147.14.60.50586 > 192.168.15.10.h323gatedisc: S >3181618356:3181618356(0) win 5840 >0,nop,wscale 2> (DF) >09:52:05.917058 192.168.15.10.h323gatedisc > 198.147.14.60.50586: S >1475061600:1475061600(0) ack 3181618357 win 5792 >12209006 14945005,nop,wscale >0> (DF) >09:52:05.917998 198.147.14.60.50586 > 192.168.15.10.h323gatedisc: . ack 1 >win 1460 (DF) >09:52:05.918140 198.147.14.60.56826 > 192.168.15.10.ftp: P 42:48( >09:52:13.172622 198.147.14.60.55101 > 192.168.15.10.gdp-port: . ack 1 win >1460 (DF) >09:52:13.172843 198.147.14.60.56826 > 192.168.15.10.ftp: P 150:156(6) ack >1386 win 1460 (DF) [tos 0x10] >09:52:13.173021 192.168.15.10.ftp > 198.147.14.60.56826: P 1386:1425(39) >ack 156 win 5792 (DF) >09:52:13.173284 192.168.15.10.gdp-port > 198.147.14.60.55101: P 1:302(301) >ack 1 win 5792 (DF) [tos 0x8] >09:52:13.173322 192.168.15.10.ftp > 198.147.14.60.56826: P 1425:1449(24) >ack 156 win 5792 (DF) >09:52:13.173359 192.168.15.10.gdp-port > 198.147.14.60.55101: F 302:302(0) >ack 1 win 5792 (DF) [tos 0x8] >09:52:13.174689 198.147.14.60.55101 > 192.168.15.10.gdp-port: . ack 302 win >1728 (DF) [tos 0x8] >09:52:13.175077 198.147.14.60.55101 > 192.168.15.10.gdp-port: F 1:1(0) ac >09:54:39.799188 198.147.14.60.59197 > 192.168.15.10.sa-msg-port: S >3337646170:3337646170(0) win 5840 >0,nop,wscale 2> (DF) >09:54:39.799262 192.168.15.10.sa-msg-port > 198.147.14.60.59197: S >1620672975:1620672975(0) ack 3337646171 win 5792 >12224394 14960393,nop,wscale >0> (DF) >09:54:39.800184 198.147.14.60.59197 > 192.168.15.10.sa-msg-port: . ack 1 >win 1460 (DF) >09:54:39.800330 198.147.14.60.45607 > 192.168.15.10.ftp: P 293:299(6) ack >2417 win 1460 (DF) [tos 0x10] >09:55:01.059062 198.147.14.60.39612 > 192.168.15.10.tftp-mcast: S >3363041828:3363041828(0) win 5840 >0,nop,wscale 2> (DF) >09:55:01.059142 192.168.15.10.tftp-mcast > 198.147.14.60.39612: S >1651134495:1651134495(0) ack 3363041829 win 5792 >12226520 14962519,nop,wscale >0> (DF) >09:55:01.060111 198.147.14.60.39612 > 192.168.15.10.tftp-mcast: . ack 1 win >1460 (DF) >09:55:01.060259 198.147.14.60.45607 > 192.168.15.10.ftp: P 341:347(6) ack >2865 win 1460 (DF) [tos 0x10] >09:55:01.060471 192.168.15.10.ftp > 198.147.14.60.45607: P 2865:2904(39) >ack 347 win 5792 (DF) >09:55:01.060761 192.168.15.10.tftp-mcast > 198.147.14.60.39612: P >1:302(301) ack 1 win 5792 (DF) [tos >0x8] >09:55:01.060801 192.168.15.10.ftp > 198.147.14.60.45607: P 2904:2928(24) >ack 347 win 5792 (DF) >09:55:01.060843 192.168.15.10.tftp-mcast > 198.147.14.60.39612: F >302:302(0) ack 1 win 5792 (DF) [tos >0x8] >09:55:01.062162 198.147.14.60.39612 > 192.168.15.10.tftp-mcast: . ack 302 >win 17 > > Why is SmartDefense NOT blocking "KNOWN PORTS"? So much for being >"Smart"? > > Can someone explain this? Thanks. > > > >--------------------------------- >Be a better Globetrotter. Get better travel answers from someone who knows. >Yahoo! Answers - Check it out. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ Learn.Laugh.Share. Reallivemoms is right place! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
