The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: How Does FireWall-1 Support RPC?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

Each RPC-based service has a unique program number (within each service, a version number). When an RPC-based program starts, it will use a random TCP and/or UDP port number. The portmapper is used to map each program number to a particular port used by the RPC-based program at that moment. The connection to the portmapper process must be UDP for FireWall-1 to support it.

FireWall-1 supports RPC by monitoring the client RPC request to the portmapper. Then the portmapper replies with the port number. FireWall-1 temporarily opens up that port number for the connection from the client to the server. Once the connection is over, FireWall-1 will close up the port.

Note that if your application requires RPC over TCP (i.e. the connection between client and server is TCP-based), there are two possible solutions:

3.0 firewalls: Modify $FWDIR/lib/fwui_head.def on the management console so that it contains the line: #define RPC_OVER_TCP

4.0 and later firewalls, modify $FWDIR/conf/objects.C on the management console so the property enable_tcprpc is true. For more on editing objects.C, see [How do I edit objects.C?][1]

In term of custom application, 99% of the time, you can simply define your custom application as a new service using the following parameters:

  • type of connection: TCP, UDP, RPC …
  • port number (for TPC, UDP)
  • or program number for RPC

Once you have done that you can use the newly-define service as any other network services: For example, using the following rule

Source	Destination	Service		Action
rpc_client	rpp_server	my_rpc_service	Accept

to allow connection from rpc_client to rpc_service using my_rpc_service.

If you cannot define your custom application using the above parameters, you will have to write custom code to handle your custom application, for these situation please contact your support provider for help.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.