Any does not mean Any Service

[BarryStiefel]

Any does not mean Any Service



There are some services that will not work for an "Any," this is correct. These are services that require calls to INSPECT code within FireWall-1 to work correctly. They will not be properly allowed without an explicit reference to the service in the rulebase or without being properly enabled in Policy Properties.





In NG, each service defined in the GUI has an option labeled "Match for Any" in the advanced properties. If this property is checked, the service will be included in "Any." Services that do not have this checked will not be included in the "Any" definition.

The following is a non-exhaustive list of services in FireWall-1 4.1 and earlier that will require explicit rules with the explicit service to be allowed correctly (i.e. "any" will not allow these services) which was derived from a cursorary look at the INSPECT files inlcuded in $FWDIR/lib:

• FTP
• RPC
• sunRSH
• REXEC
• VDLLive
• Real Audio
• RTSP
• SQL*Net2
• FreeTel
• CoolTalk
• H.323
• NetShow
• Winframe
• Backweb
• IIOP
• CVP
• RTSP
• X11

-- GuyR - 15 Jan 2004

FAQForm FAQs.Class: ServicesFAQs FAQs.OS: FAQs.Version:

[stephan411]

Hallo,

Could it be, that the service SNMP and SIP is missing in your list?

[chillyjim]

This from support....

“Any” service means every port (known, defined, unknown, or undefined) when used in the rulebase. Otherwise, “any, any, any, any, drop” rule would be completely worthless.



However, there are various reasons why a packet may get dropped despite having a single any,any,any,any,accept rule in the rulebase. These reasons vary from version to version and hotfix to hotfix primarily because these versions can include new deep-level application inspect (service dropped by SmartDefense protocol enforcement such as SIP drop when encapsulated in http).

Some common reasons for drop packets despite “any-accept” rule:

- Protocol enforcement (i.e. port 80 really is http traffic)

- IP Options flags exist on the IP header and is dropped before rulebase (i.e. PIM multicast traffic in version 4.1)

- (Rare) Limitation in Firewall, Acceleration, QOS, or Clustering implementation that see the traffic as invalid (usually quickly fixed in a later HFA or SHF)

- TCP out of state (asymmetric routing problems or long delays that allow tcp start timeout to expire before syn-ack)

- UDP or undefined service out of state caused by bi-directional data traffic

- Complex code required for NAT and other functions but proper inspect is not being called by “any” rule (mentioned by Adam)

o this can happen when more than one service of a specific port # is defined with “match for any” checked

o or, if “match for any” checkbox was removed from an important service definition and other duplicate service objects exist with less complex inspect code calls

o or, if a new service was defined and selected as “match for any” which negates the inspect code of other pre-defined services. An example of this would be manually creating a tcp service for port 135 and configuring it for “match for any”. This would potentially prevent the portmap service from properly matching the dce-rpc code uuid’s defined in the dce-rpc pre-defined services.



In short, because the list of reasons is dynamic from one version to the next and can be very specific to unpredictable customer mis-configurations, it is not practical to try to compile a complete list and keep it up-to-date.

[mentalscout]

very informative. i have soe questions, however.

I have a client running an Avaya IP Agent v6 who authenticates into the firewall using securemote. They then use the IP phone to place a phone call. The service worked fine with r54, but is not supported with NGX. My client recently upgraded the firewall from r54 to NGX. If I follow you correctly, I should go into the firewall and explicitly check the "Match for any" check box on all H.323 services, correct?

Thanks,

Paul-

[chillyjim]

Try the H323_any service first.

[zencoder]

Quote:

Originally Posted by chillyjim

This from support....

“Any” service means every port (known, defined, unknown, or undefined) when used in the rulebase. Otherwise, “any, any, any, any, drop” rule would be completely worthless.

So now I'm confused. Which is it? "Any" means anything that is marked to be included in "Any" (as the original FAQ entry indicates), or is it a catch-all wildcard, true common definition of the english word "Any" (as stated by ChillyJim)?

http://www.webster.com/cgi-bin/dictionary?va=any

Sorry, not trying to be an ass, but the answers seem to be contradictory.

[Lackie]

From my understanding, if you are only using ANY for the service, it will work as 'Anything'. If you have other rules with specific services then the ANY will not work the same way and only allow services that have the Mark for Any in their properties.

[tnkflx]

Is there an easy way (so not viewing every service individually...) to get a list of all services that are no included in the "Any" service?

The 'script' listed on the CP site doesn't work:

more ServerName | queryDB_util | awk '/Object Name/ {host=$3} /include_in_any/ {print host,":"$2}'

Setup:
Provider-1 -> CMA -> FW-1

[tnkflx]

Found it, I first have to do "mdsenv <ip of CMA>" on the CMA itself...