I think someone said you could use a proxy for this,
you could also use an SMTP resource, either way your
edge router will have to allow traffic from the
specific (or all) ports from the source.
>From memory (and it is bad), you can proxy the content
off the firewall. I have set this up before to address
the same problem but understand all repercussions of
what you are doing. Use a resource and:
under general:
- use wildcard match
- set up rest as required
under match
- set up as required
- host: *:* for matching any port or, (now check on
this), *:{80,81,8080,... etc} for specific ports, note
the curly brackets.
- Path: *
- URI: *
Should handle similar to a proxy. As a side note - I
always prefer a separate proxy in a DMZ to FW1
resource though, only using resources for CVP etc
through the inside interfaces to or from a DMZ proxy.
You may have to set the firewall as the proxy in the
browsers (general:transparent option may fix that), or
use proxy forwarding if you have another already
operational inside the firewall. Note that FW is not a
cache proxy, only protocol.
Hope this helps,
Bob
--- "McCammon, Keith" <[EMAIL PROTECTED]>
wrote:
>
> That's a pretty strange situation you've got on your
> hands. At some point I
> think that you need to draw the line or perhaps look
> into getting some type
> of justification for this. I've run networks with
> upwards of 3000 users and
> *never once* have a had a request to access a
> website (through a firewall)
> on any port other than 80 or 8080. My opinion:
> sneaky users or suspect web
> sites.
>
> Keith
>
> -----Original Message-----
> From: Greg Winkler
> [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 16, 2001 3:34 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Do you allow http to ports other than
> 80?
>
>
>
>
> Recently I've been bombarded by requests from my
> users to gain access to
> websites outside the company that run on ports other
> than 80. Off the top
> of my head I recall sites running on 9022, 8095, 81,
> 89, 8081, 8080, and
> I'm sure I've forgotten a few. Up until today I
> could never get them to
> work. I've just learned that, YES, it is possible to
> allow this on a
> firewall by creating a new service with a protocol
> type set to URI and by
> adding a line to fwauthd.conf of the format
>
> port# in.ahttpd wait 0
>
> It was the update to fwauthd.conf that had me
> stymied.
>
> My only objection now is that each of these new
> ports requires another http
> security server process to monitor it. I'd just as
> soon not have a million
> security servers running on my firewall to support a
> very small community
> of users who need access to these oddball websites.
>
> Just what is it with these website admins? Why must
> they run their sites on
> odd port numbers? What's scary is that some of the
> sites are running on
> ports that have been assigned to other services.
> What the heck is one to do
> when the web-site conflicts with the legitimate use
> of that port?
>
> I feel like making a stand...."Just say NO to
> websites that don't run on
> port 80". But it appears I will just get stampeded.
> Do you allow access to
> these sites where you work?
>
>
----------------------------------------------------------------------------
> ------------
>
> Greg Winkler
> Systems Manager, IT&S
> Huntsman Corporation
> Internet Mail: [EMAIL PROTECTED]
> Voice: (713) 235-6018
> Fax: (713) 235-6890
>
>
>
>
>
============================================================================
> ====
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
>
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
