Service-Related Questions

By design, firewalls restrict the use of certain services. Some services are more problematic than others. The following FAQs relate to the use of certain services through FireWall-1.

6.15 Why Doesn't Windows Traceroute Work?

This problem originally existed in pre-4.0 versions of FireWall-1. It does not exist in 4.0 or 4.1 versions of FireWall-1. Though the reason has changed, the problem has returned in FireWall-1 NG FP1 and FP2.

With an NG FP1/FP2 firewall using hide NAT, a packet sniffer shows that the client is being sent ICMP "time exceeded" messages as it should. However, the client appears to ignore these ICMP messages and displays "Request Timed Out" messages for hops past the firewall. Analysis of these ignored packets shows both an invalid checksum and less data than was sent by the ICMP echo-request packet (56 bytes of data received versus the 64 bytes sent). These are the likely reasons the packets are being ignored.

With an NG FP1/FP2 firewall using static NAT, the ICMP "time exceeded" packets at each hop after the firewall are dropped by the firewall with the message "ICMP packet out of state" in the logs.

Check Point issued hotfix SHF_FW1_FP2_0068 to resolve this issue. Upgrading to NG FP3 or later also solves the problem.

6.16 How Does FireWall-1 Support UNIX RPC?

Each service based on Remote Procedure Call (RPC) uses its own unique program number (within each service, a version number). When an RPC-based program starts, it uses a random TCP and/or UDP port number. The portmapper is used to map each program number to a particular port used by the RPC-based program at that moment. The connection to the portmapper process must be UDP for FireWall-1 to support it?TCP connections to the portmapper are currently not supported.

FireWall-1 supports RPC by monitoring the client RPC request to the portmapper. The portmapper replies with the port number. FireWall-1 temporarily opens that port number for the connection from the client to the server. Once the connection is over, FireWall-1 closes the port.

In terms of custom applications, 99% of the time, you can simply define your custom application as a new service using the following parameters:

  • Type of connection (e.g., TCP, UDP, RPC)

  • Port number (for TCP and UDP)

  • Program number for RPC

Once done, you can use the newly defined service like any other network services.

6.17 How Do I Block AOL Instant Messenger?

To block AOL Instant Messenger, block access to the IP addresses listed in Table 6.1.

Table 6.1. IP addresses known to be used for AOL Instant Messenger

Table 6.2. IP addresses known to be used for Yahoo Messenger


6.18 How Do I Enable or Block Yahoo Messenger?

To do this, you need to allow or block access via port 5050 to the IP addresses listed in Table 6.2.

6.19 How Do I Block ICMP Packets of a Particular Length?

You can block ICMP packets by specifying a maximum acceptable length. For example, to block packets that are longer than 100 bytes, first define a service of type Other. Then set the protocol number to 1 and put the following in the Match field:

ip_len > 100

This will match any ICMP packets greater than 100 bytes in length (including headers). Create a rule with this new service to drop the packet.