CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 52 attendees signed up from 14 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
Reload this Page Remedy's call tracking software; RPC
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-14
roadrunner roadrunner is offline
Senior Member
  
Join Date: 2005-08-12
Posts: 162
Rep Power: 4
roadrunner has an average reputation (10+)
Default Remedy's call tracking software; RPC
Remedy's call tracking software; RPC
have a customer is using Remedy's call tracking software internally, but it needs to be accessed by a single external site. Here is what happens:


-> The client (external) initiates contact with a
RPC request on port 111 (sun RPC?)

-> Server (internal) responds to client with an RPC
response saying to connect with TCP on one of
several ports b/w (usually) 626 and 636.

-> The client then sends a TCP packet to that port.
FW-1, of course, blocks the incoming TCP packet. Is there some way to get FW-1 to recognize the TCP packet as a response to the RPC? Alternatively, is there a way to define a service that will permit these packets to pass without opening the whole range to TCP addresses?

What you just described is pretty much a generic RPC service. RPC programs don't normally use fixed port. Rather, at start up time, each RPC program sents its program number and version number to the portmapper which will reply with a port number to which the calling RPC program can connect. FireWall-1 is capable of detecting the reply from the portmapper and will be able to dynamically open that port only for the duration of the RPC connection.

What you need to do is to define a new RPC service then use that service in a rule base. FireWall-1 will handle the port issue automatically. To define a RPC service, you will need to know the program number and version number. Check with the vendor of the software that makes the RPC call for those numbers. Usually, they are available in installation instruction. Look under section where user is asking to modify /etc/services file. Example User wants to use RPC service with the following characteristic:


Program number 10897654
Version number 1
User wants to allow


external machine '192.75.23.4' to connect to
internal machine '178.43.5.7'.
User will need to perform the following steps:


Add a new service object called remedy-rpc.
Add a network object called 'external-client' with IP 192.75.23.4
Add a network object called 'internal-server' with IP 178.43.5.7
Add the following rule to the current rule-base

Source Destination Service Action
external-client internal-server remedy-rpc accept

Install the new rule-base
-- GuyR - 18 Jan 2004


FAQForm
FAQs.Class: ServicesFAQs
FAQs.OS:
FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 06:52.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0