Yeah, it's a weird message for sure. "tried to open a known service port" -
Near as I can figure, if you have a service defined as using a specific
port, something trying to connect to that port will trip this block. It may
have been a relevant defense tactic when firewalls only had a few ports
defined, but it sure causes problems now for everything above 1023.
We hit it when we were using Outlook through FW-1. It uses random high ports
to communicate with Exchange. We would keep seeing this drop intermittently
in the logs when Outlook picked a random port that was defined as a service
on the firewall.
I suspect Lindsay is correct; this is a protection that got moved into
SmartDefense when it originally wasn't there.
Ray
From: Lindsay Hill <lindsay.k.hill AT GMAIL DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Firewall dropping packets
Date: Fri, 23 Dec 2005 17:26:13 +0000
Doesn't matter what your logs say they were generated by, Ray's solution
is the correct one. It is SmartDefense. It may not say that, since that
particular protection/setting has been around for a while, possibly (can't
quite remember) from before SmartDefense was called that.
On 23 Dec 2005, at 13:15, Tauseef Khan wrote:
Thanks Ray
That's definitely helped, but quite surprisingly these logs weren't
generated by smartdefense, rather they were generated by VPN1&Firewall1.
Any ideas.
Kind regards
Tauseef
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Sent: 22 December 2005 19:33
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Firewall dropping packets
It's a SmartDefense drop. You have to change SmartDefense to allow
connections to all ports,
Network Security
Dynamic Ports
Select the top radio button
Ray
From: Tauseef Khan <Tauseef_Khan AT 3I DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Firewall dropping packets
Date: Thu, 22 Dec 2005 15:45:48 -0000
I am getting the following error message in the firewall logs with no
rule number against that. Any ideas.
"reason: tried to open a known service port,;protocol:tcp; port_svc:
ICKiller"
Kind regrads
*************************************************
For addressee only. No legally binding commitments will be created by
this
e-mail message. Where we intend to create legally binding commitments
these
will be made through hard copy correspondence or documents.
3i Investments plc
Registered office: 91 Waterloo Road
London SE1 8XP
Registered no:3975789
Authorised and Regulated by the Financial Services Authority
If you are not the intended recipient it may be unlawful for you to
read,
copy, distribute, disclose or otherwise use the information in this
e-mail.
If you are not the intended recipient please contact us immediately.
E-mail
may be susceptible to data corruption, interception and unauthorised
amendment, and we do not accept liability for any such corruption,
interception or amendment or the consequences thereof.
3i is committed to following policies which protect your privacy and
comply
with current international data protection laws and regulations in
respect
of personal data. Further details of these policies can be found at
www.3i.com.
*************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
*************************************************
For addressee only. No legally binding commitments will be created by
this e-mail message. Where we intend to create legally binding
commitments these will be made through hard copy correspondence or
documents.
3i Investments plc
Registered office: 91 Waterloo Road
London SE1 8XP
Registered no:3975789
Authorised and Regulated by the Financial Services Authority
If you are not the intended recipient it may be unlawful for you to read,
copy, distribute, disclose or otherwise use the information in this
e-mail. If you are not the intended recipient please contact us
immediately. E-mail may be susceptible to data corruption, interception
and unauthorised amendment, and we do not accept liability for any such
corruption, interception or amendment or the consequences thereof.
3i is committed to following policies which protect your privacy and
comply with current international data protection laws and regulations in
respect of personal data. Further details of these policies can be found
at www.3i.com.
*************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
