The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: How Do I Filter HTTP on other ports?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

There are five steps necessary to enable filtering on other ports:

  1. Create a service for the ports in question (e.g. http8000).
  2. Add a rule with a resource to your rulebase using the new service.
  3. Install the security policy
  4. Reconfigure fwauthd.conf on the firewall module
  5. Bounce the firewall

Creating the services is straightforward. Create a new service of type TCP. Set the Protocol Type to URI (4.1 and before) or HTTP (NG) and the port as necessary (e.g. port 8000). If you do an "add with resource" in the services section of a rule, you will be able to associate a resource with the new service you created (e.g. http8000). If you do filtering with "wildcard" resources, you will need to enter the "host" part of the url as "host:port". For example, to match "all", instead of entering "", you would need to type it as ":*". If you don't do this, your resource will fail.

To reconfigure $FWDIR/conf/fwauthd.conf on the firewall module, you will need to add a line to this file for each "unusual" port you wish to filter on. For port 8000, for instance, on an NG firewall, the line would read:

    8000  fwssd    in.ahttpd    wait    0

In FireWall-1 4.1 and earlier:

    8000  in.ahttpd    wait    0

Re-install the security policy and bounce the firewall (cprestart in NG, fwstop; fwstart in 4.1 and earlier).

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.