[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FTP-PORT-Mode is broken

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] FTP-PORT-Mode is broken
From: Matthias Weigel <matthias.weigel@isonova.de>
Date: Mon, 20 Mar 2000 17:25:06 +0100
Organization: ISOnova GmbH
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com


Hi,

i have a strange problem with FTP-PORT-mode in firewall-1.
Environment:
        -Firewall: Sun Ultra450 or SS4, Solars 2.6, FW1 V4.0 SP5
        -FTP-Server: Solaris2.6, Ultra10 or RH-Linux 6.1
        -FTP-Client: Windows95 or WindowsNT
The FTP-Server is connected to the FW-1 via ethernet. Connection between
FW-1 and FTP-client is via Ethernet or ISDN dialup or Internet.

The Problem: (Properties: FTP-PORT-Mode checked on)
In a directory with e.g. 100 files, if i do an MGET * from the
commandline-ftp with PROMPT disabled, some files are transfered. However
at random the ftp-control-connection is being shut down by the Firewall.
There is a log entry type "reject", rule 0, info: "reason: tried to open
tcp service port, port: xxx" where xxx is a dynamically assigned port
number from the ftp protocol.
It is totally random, when this problem happens (how many files
transfered successfully before breaking). A file is allways transfered
successfully or not at all. 
If in properties FTP-PORT-Mode is not checked and a rule is added to
allow the ftp-data connections then everything is o.k. However then
statefull handling of ftp is lost.
There is no problem with FTP-PASV.
The problem originally appeared on a production
E450/Solaris2.6/FW1-V4.0SP5. However i could duplicate it in my lab with
a SS4/Solaris 2.6/FW1-V4.0 SP1, SP3 and SP5. The rulebase contained two
rules: any-any-ftp-accept and any-any-any-accept. The problem exists
with and without the use of ftp resources.
The problem seems to be independent of the ftp-client or ftp-server in
use.

- What does the errormessage exactly mean? I could not find it in the
docs.
- Is somebody else having the same problem?
- Is there a solution other than opening all "high" ports for ftp-data
via an extra rule and loosing stateful handling of ftp-port-mode?


Thanks for your Input


Matthias Weigel
ISOnova GmbH


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] pptp security assesment?
Next by Date: [FW1] Using Exceed through FW-1
Prev by thread: Re: [FW1] pptp security assesment?
Next by thread: FW: [FW1] FTP-PORT-Mode is broken
Index(es):
- Date
- Thread