Simon,
You have run across the security feature that checkpoint still wont publicly
release as a bug, follows is the unofficial patch that I have applied to
many firewalls with great success
As of FW-1 V4 Checkpoint have added extra code to the ftp service object
that prevents data connections on some of the "checkpoint defined" service
ports, unfortunately if the ftp server does not have these ports reserved it
may attempt to use them. When FW-1 sees these ports being used it complains
and blocks the connection.
This is an example from the log
6:46:43 accept machine >iprb1 proto tcp src 192.168.13.104 dst
ftp1.service.digital.com service ftp
6:46:58 reject machine >iprb2 proto tcp src www dst 192.168.10.213
service 3758 s_port ftp rule 0 reason: tried to open tcp service port, port:
RealSecure
Following is the fix for the intermittent FTP problems.
Make these modifications to your Firewall....
Disable the check for services by $FWDIR/lib/base.def. In FireWall-1
4.x. Change the macro definition for NOTSERVER_TCP_PORT to:
#define NOTSERVER_TCP_PORT(p) ( p > 1024 )
Reload the ruleset.
Follows is Checkpoint's response to the security ramifications of applying
the patch
As far as security is concerned, the issue at hand is high ports. By
disabling our feature that prevents high port access for known services,
you essentially are allowing traffic to those ports for systems listening
on that port. In short, what this means, is that if you have your
ftp server using some random high port on the SAME machine as another
server that uses a predefined high port (ie: Oracle), then there could
be some chance that a hacker could get into the Oracle through the
ftp server, but even that is a very limited access to the predefined
server. To prevent this you would simply, not want to run any predefined
service server ON your ftp server.
To clarify, in base.def:
Remove the code:
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10
RCODE_TCP_SERV, set sr11 0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT,
set sr11 0, set sr12 p,
set sr1 0, log bad_conn)
)
)
};
Add the line:
// ports which are dangerous to connect to
// changed to all highports ok to prevent rule 0 drops
#define NOTSERVER_TCP_PORT(p) ( p > 1024 )
-----Original Message-----
From: Simon Churcher [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 17 May 2000 2:49
To: Firewall-1 (E-mail)
Subject: [FW1] HELP! FTP problem ... base.def issue?
Hi,
I have been getting some REJECT "bad PORT command:x,x,x,x,y,z" error
messages in the Firewall log during FTP'ing.
This appeared to happen randomly until I had gathered quite a few ...
it turns out that y*256+z = PORT number (thanks Phoneboy site) ...
What I have deduced is that the reject occurs if a passive FTP transfer is
attempted where the port used for the passive transfer is one of the
services defined in the services objects.
I have looked in base.def and I found the following section that could be
relevent:
#define ftp_accept_port
\
r_cdir = 1, dport = SERV_ftp or origdport = SERV_ftp, tcp,
\
IS_PORT_CMD, set sr1 FTPPORT(0),
\
direction = 1 or FTPPORT_ANTICIPATE(sr1),
\
set sr1 FTPPORT(FTPPORT_MATCH), sr1 != 0 or
(WRONG_HOST_LOG,reject),\
NOTSERVER_TCP_PORT(sr1) or reject,
\
direction = 0 or FTPPORT_ANTICIPATE(sr1),
\
(
\
ftp_accept_port_enc(sr1)
\
) or (
\
ftp_accept_port_clear(sr1)
\
),
\
accept_fwz_as_clear(r_ctype)
#define ftp_record_pasv
\
r_cdir = 2, tcp, IS_PASV_MSG,
\
sport = SERV_ftp or sport = auth_services[SERV_ftp,ip_p],
\
set sr1 FTPPORT(0),
\
direction = 1 or FTPPASV_ANTICIPATE(sr1),
\
set sr1 FTPPORT(FTPPORT_MATCH), sr1 != 0 or
(WRONG_HOST_LOG,reject),\
NOTSERVER_TCP_PORT(sr1) or reject,
\
direction = 0 or FTPPASV_ANTICIPATE(sr1),
\
record
<dst,FTP_MAGIC,src,sr1,ip_p;DUP_KEY(r_ckey),r_ctype,r_cflags>\
in pending, \
FTP_TRACK_DATA_CONN(sr1, FTP_MAGIC, PENDING_TIMEOUT),
\
accept_fwz_as_clear(r_ctype)
Does anyone know if the above code is responsible and how to modify it ?
I am running FW-1 4.1 (SP1) on Solaris 7, management on NT4 (SP5).
I would greatly appreciate any feedback.
kind regards,
simon
______________________
Simon Churcher
Infrastructure Development Engineer
Standard and Poor's Fund Services
Direct: +44 (020) 8938 7393
Fax: +44 (020) 8938 7282
Email: [EMAIL PROTECTED]
AlphaWest Disclaimer
---------------------------------------------------------------------------
If this communication is not intended for you and you are not an authorised
recipient of this email you are prohibited by law from dealing with or
relying on the email or any file attachments. This prohibition includes
reading, printing, copying, re-transmitting, disseminating, storing or in
any other way dealing or acting in reliance on the information.
If you have received this email in error, we request you contact AlphaWest
immediately by returning the email to [EMAIL PROTECTED] and
destroy the original. This email is confidential and may contain privileged
client information. AlphaWest has taken reasonable steps to ensure the
accuracy and integrity of all its communications, including electronic
communications, but accepts no liability for materials transmitted.
---------------------------------------------------------------------------
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
