Invalid service-port

tneumann · May 4, 2005, 9:03pm

Hi,

running 2.9rc1, if I do

[admin@MikroTik] > /ip firewall service-port print
Flags: X - disabled, I - invalid

NAME PORTS

0 I ftp 21
1 I tftp 69
2 I irc 6667
3 X h323
4 quake3
5 mms
6 X gre
7 X pptp
[admin@MikroTik] >

Some service-port entries are marked as 'invalid'.
What does that mean and how can I make them 'valid'?

Right now I notice that I can't do non-passive FTP
sessions through a masqueraded srcnat connection,
only PASV ftp works, and I suspect this might be related
to the 'invalid' from ftp service-port?

Thanks,

--Tom

andrewluck · May 5, 2005, 5:26pm

Tom

Have you got Connection Tracking turned on?

Regards

Andrew

tneumann · May 5, 2005, 5:35pm

Yep, I do (it’s on by default)

[admin@MikroTik] > /ip firewall connection tracking print
                   enabled: yes
      tcp-syn-sent-timeout: 2m
  tcp-syn-received-timeout: 1m
   tcp-established-timeout: 5d
      tcp-fin-wait-timeout: 2m
    tcp-close-wait-timeout: 1m
      tcp-last-ack-timeout: 30s
     tcp-time-wait-timeout: 2m
         tcp-close-timeout: 10s
               udp-timeout: 30s
        udp-stream-timeout: 3m
              icmp-timeout: 30s
           generic-timeout: 10m
[admin@MikroTik] >

Any more information I might give that might help?

Thanks,

–Tom