Troubleshooting guide
Chapter 7 Troubleshooting Security Servers and Content Security
Resolving Common FTP security server problems
Advanced Technical Reference Guide 4.1 • June 2000 67
1. Delete the FireWall-1 service(s) that are causing the problem. This is the easiest solution, but is not always
feasible.
(Pre-defined high-port TCP services are listed below).
2. Delete the FireWall-1 service(s) that are causing the problem, and recreate them as a service type of 'Other'.
That way FireWall-1 will not see them as known TCP services. Please see this link for information on how
to do this:
How to manually define a TCP port range
3. Perform a base.def modification to keep FireWall-1 from comparing against these known services. Always
back up any file before modifying it, and make sure you use a UNIX based editor such as VI to edit this
file. NT editors place carriage return / line feeds at the end of the text. If you are using the base.def on
an NT machine, use edit.com from the command prompt rather than Notepad or Wordpad.
Make this modification on the Management server to your $FWDIR/lib/base.def. then stop/start the
FireWall, and re-install the Rule Base.
Original
base.def
:
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12
p,
set sr1 0, log bad_conn)
)
)
};
is changed to:
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
set sr1 0, log bad_conn)
)
};
you need to re-install the policy for the changes to take effect.
List of pre-defined high-port TCP services:
1235 vosaic-ctrl
1352 lotus
1494 Winframe
1503 T.120 (NetMeeting)
1521 sqlnet
1525-1526 sqlnet2
1570-1571 Orbix
1720 H323 (iphone)
1723 pptp
1755 NetShow
2000 OpenWindows
2049 nfsd-tcp
2299 PCtelecommute