There may be times when you wish to access servers for non-trivial services such as FTP which are running on non-standard ports. The transparent gateway program usually uses the server port to determine the type of session to allocate. However, in the case of non-standard ports, this mechanism is inadequate.
For example, consider an FTP server running on port TCP 9000. If you simply defined a TCP gateway on port 9000, this would allow you to connect to the server (that is, the FTP control connection could be established), but no directory listings or file transfers would be possible (as there would be no way to allow the data connection callback from port 8999).
The firewall does have a way to solve this problem. You can define a set of real- to effective-port maps using the Protocol Map Setup Screen (see Section 4.6.7), or, if finer control is required, in the file /usr/local/custom/protomap. Each entry in this file should have one of the two forms:
<serveraddress>/<maskbits>:<protocol>/<port> <effectiveport>
<servername>:<protocol>/<port> <effectiveport>
The first form allows you to restrict the map to a host or network, while the second form restricts the map to a host. The protocol should be `tcp' or `udp'. At most 32 entries for each protocol are allowed, and the ports must be greater than 1023.
Here are some examples:
0.0.0.0/0:tcp/5000 ftp
196.10.50.0/24:tcp/6000 ftp
www.funnyweb.com:tcp/8080 80
The first example specifies that TCP port 5000 should be treated as an FTP service for all hosts; the second specifies that TCP port 6000 should be treated as FTP for all servers in the 196.10.50 network, while the last example specifies that the host www.funnyweb.com is running an http server on TCP port 8080.
Note that access to these ports must be set up using TCP gateways as normal; the protocol map file only affects the logical session type, not the actual ports or access permissions used.
The same mechanism can be used for proxies. In this case the first form must be used, and the mask bits must be set to zero. For example, if you set up a TCP proxy on port 5000 that should act as an FTP service, then you would make an entry with the same form as the first example above.