Protocol Maps

  

Figure 4.37: The TCP Service Map Setup Screen

The TCP Service Map Setup Screen (Figure 4.37) lets you define mappings from one service to another. This may be necessary if you are running (or require access to) a service which requires service-specific handling, but is not running on the standard port for that service. The most common example is FTP. FTP uses two separate connections, one for data transfer and one for control commands. To run an FTP proxy or gateway on a port other than the standard port 21, you need to inform your firewall that this is an FTP service, so that the data transfer connections will also be allowed. You do this by entering the (non-standard) physical port number in the left column, and the logical port or service (in our example, `ftp' or `21') in the right-hand column.

The resulting entries will be written to the /etc/protomap file, which the firewall reads to determine the service mappings. This file can have additional custom entries added by putting them in the /usr/local/custom/protomap file. Custom entries may be useful for mapping UDP services, for example, as the entries in this screen are for TCP only. Section 7.1 has more details about how to do this.

There is one special case that may be of interest: if the logical port is set to 20 (FTP data channel), then the physical port will be treated as FTP; however, the data channel will then be considered to be the port above the physical port rather than the one below. For example, if you specify a physical port of 500 and a logical port of 21, the firewall will treat port 500 as being an FTP control channel port and port 499 as an FTP data channel port; if you specify a logical port of 20, however, then the firewall will still treat port 500 as an FTP control channel but will treat port 501 as an FTP data channel. This is rarely needed but there are occasions when FTP servers are set up in this way.