FireWall-1 FAQ: How Does FireWall-1 Support RPC?
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Each RPC-based service has a unique program number (within each service, a version number). When an RPC-based program starts, it will use a random TCP and/or UDP port number. The portmapper is used to map each program number to a particular port used by the RPC-based program at that moment. The connection to the portmapper process must be UDP for FireWall-1 to support it.
FireWall-1 supports RPC by monitoring the client RPC request to the portmapper. Then the portmapper replies with the port number. FireWall-1 temporarily opens up that port number for the connection from the client to the server. Once the connection is over, FireWall-1 will close up the port.
Note that if your application requires RPC over TCP (i.e. the connection between client and server is TCP-based), there are two possible solutions:
3.0 firewalls: Modify $FWDIR/lib/fwui_head.def on the management console so that it contains the line: #define RPC_OVER_TCP
4.0 and later firewalls, modify $FWDIR/conf/objects.C on the management console so the property enable_tcprpc is true. For more on editing objects.C, see [How do I edit objects.C?]
In term of custom application, 99% of the time, you can simply define your custom application as a new service using the following parameters:
- type of connection: TCP, UDP, RPC …
- port number (for TPC, UDP)
- or program number for RPC
Once you have done that you can use the newly-define service as any other network services: For example, using the following rule
Source Destination Service Action rpc_client rpp_server my_rpc_service Accept
to allow connection from rpc_client to rpc_service using my_rpc_service.
If you cannot define your custom application using the above parameters, you will have to write custom code to handle your custom application, for these situation please contact your support provider for help.