I have a Solaris 2.6 box running FW-1 40 SP6. I have set as one of my rules
this:
Internal Nets ----> Any Services Accept Long
The "Services" group contains stuff I want to track as they leave. Two of
those items are the built-in Real Audio and rtsp services.
Since I started using them, whenever someone tries to access an RTSP based
service (RealAudio 7/8 or Streaming QuickTime), I see a successful outbound
connection logged by the above rule which is immediately followed by a
reject sourced from the internal interface as violating rule 0. It logs the
following info:
"reason: tried to open udp service port, port 6970"
Now I know that the inbound traffic is RTP and that it normally uses a range
of 6970 to 6999. I allow that service in, so the question in all this is
why is FW-1 shutting it down, especially on rule 0?
As a side note, if I make up my own RTSP service and use that instead, then
RTSP/RTP works fine. I see that the built-in Real Audio and rtsp service
have special prologs in them and I suspect that's where the supposed
violation of rule 0 is happening, but why would it do that? What's the
sense of having these services if it's just going to kill them, or is that
the whole point of them? I suppose I could try and decode the INSPECT
code....but who has that kind of time?
---------------------------------------------------------------------
Jason Gross
Network & Communications Services
Platform Engineering & Operations Services
United Space Alliance
[EMAIL PROTECTED]
V: (321) 799-6601 F: (321) 799-5970
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
