[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [FW1] FTP-PORT-Mode is broken

To: "fw-1-mailinglist@lists.us.checkpoint.com" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: Re: FW: [FW1] FTP-PORT-Mode is broken
From: Pascal Caumont <pcaumont@fitech.fr>
Date: Tue, 21 Mar 2000 17:12:45 +0100
References: <D3A3188C86F9D111B60E00805F0D88CF09C224B2@stjfs.mit-it.com>
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com


One of my customers is experiencing exactly the same problem. Config is 
NT4/SP5 FW1
V4.0 SP4

Perhaps someone at Checkpoint has an idea about  the meaning of this error 
message
??

Pascal Caumont
RMI Informatique


"Sherwood, Curtis" a écrit :

> I am forwarding this to the entire list because I tried to send this
> directly back to Mattis and it returned back an error to me.  If Mattis and
> anyone else could reply I would be very grateful.
>
> Thank You
>
> Curtis
>
> -----Original Message-----
> From: Sherwood, Curtis
> Sent: Monday, March 20, 2000 6:38 PM
> To: 'Matthias Weigel'
> Subject: RE: [FW1] FTP-PORT-Mode is broken
>
> Hi Mattias,
>
>         I wish I could tell you I had a fix for this but unfortunately we
> are facing the exact same problem.  I was wondering if you would mind
> letting me know exactly what it is you used for a rule.  We have a Compaq
> Proliant 1600, NT 4.0 and FW1 4.0 Sp1.  I have a rule allowing FTP and
> highports out, I tried unchecking the Enable FTP Port Connections from
> Policy properties and adding the rule to allow incoming FTP Data on port 20
> but this did not work, I also allowed FTP and highports in but it still
> failed.  My FTP connection appeared to be going out in the logs but failed
> on the client.  I am new to this so if it appears that I'm overlooking the
> obvious please let me know.  I'm also concerned at what risk I'm putting our
> Network at if I allow this traffic in on a rule.  I would appreciate any
> help you could give me.
>
> Thank You
>
> Curtis
>
> -----Original Message-----
> From: Matthias Weigel [mailto:matthias.weigel@isonova.de]
> Sent: Monday, March 20, 2000 12:25 PM
> To: fw-1-mailinglist@lists.us.checkpoint.com
> Subject: [FW1] FTP-PORT-Mode is broken
>
> Hi,
>
> i have a strange problem with FTP-PORT-mode in firewall-1.
> Environment:
>         -Firewall: Sun Ultra450 or SS4, Solars 2.6, FW1 V4.0 SP5
>         -FTP-Server: Solaris2.6, Ultra10 or RH-Linux 6.1
>         -FTP-Client: Windows95 or WindowsNT
> The FTP-Server is connected to the FW-1 via ethernet. Connection between
> FW-1 and FTP-client is via Ethernet or ISDN dialup or Internet.
>
> The Problem: (Properties: FTP-PORT-Mode checked on)
> In a directory with e.g. 100 files, if i do an MGET * from the
> commandline-ftp with PROMPT disabled, some files are transfered. However
> at random the ftp-control-connection is being shut down by the Firewall.
> There is a log entry type "reject", rule 0, info: "reason: tried to open
> tcp service port, port: xxx" where xxx is a dynamically assigned port
> number from the ftp protocol.
> It is totally random, when this problem happens (how many files
> transfered successfully before breaking). A file is allways transfered
> successfully or not at all.
> If in properties FTP-PORT-Mode is not checked and a rule is added to
> allow the ftp-data connections then everything is o.k. However then
> statefull handling of ftp is lost.
> There is no problem with FTP-PASV.
> The problem originally appeared on a production
> E450/Solaris2.6/FW1-V4.0SP5. However i could duplicate it in my lab with
> a SS4/Solaris 2.6/FW1-V4.0 SP1, SP3 and SP5. The rulebase contained two
> rules: any-any-ftp-accept and any-any-any-accept. The problem exists
> with and without the use of ftp resources.
> The problem seems to be independent of the ftp-client or ftp-server in
> use.
>
> - What does the errormessage exactly mean? I could not find it in the
> docs.
> - Is somebody else having the same problem?
> - Is there a solution other than opening all "high" ports for ftp-data
> via an extra rule and loosing stateful handling of ftp-port-mode?
>
> Thanks for your Input
>
> Matthias Weigel
> ISOnova GmbH
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> 
>================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> 
>================================================================================

--
Pascal Caumont
RMI Informatique
1, Rue Blaise Pascal
54320 Maxeville
France




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- FW: [FW1] FTP-PORT-Mode is broken
  - From: "Sherwood, Curtis" <Curtis.Sherwood@mit-it.com>

Prev by Date: Re: [FW1] Extremly slow policy installs on Solaris platform
Next by Date: Re: [FW1] Nokia IP330
Prev by thread: FW: [FW1] FTP-PORT-Mode is broken
Next by thread: RE: [FW1] FTP-PORT-Mode is broken
Index(es):
- Date
- Thread