FireWall-1 FAQ: allocate_port: could not find a free port
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
I get the following error messages on my console:
Mar 27 15:09:52 tbefw1 unix: fw_xlate_forw: failed to initialize the connection
Mar 27 16:44:06 tbefw1 unix: allocate_port: could not find a free port for host 0, port 53
What do they mean? Can I make them go away?
In HIDE mode translation, FireWall-1 defaults to translating a low source port to a low source port. Most things use a “high” (i.e. above 1024) source port, so this isn’t a problem. Older versions of many DNS servers make DNS queries with a source port of UDP port 53. If you process a lot of DNS requests through your firewall, this may cause a problem.
The error message above came from a machine that was running DNS on the firewall itself. I can’t begin to tell you how bad of an idea that is. Don’t do it. If you have to (or you aren’t, but are still seeing these or similiar errors), then you can fix this by modifying FireWall-1 to translate UDP “low” source ports to UDP “high” source ports. See DNS Not Working to Some Sites. If your DNS server is behind the firewall, I recommend a static translation for your DNS server instead.