[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FTP-PORT-Mode is broken

To: "'Sherwood, Curtis'" <Curtis.Sherwood@mit-it.com>, "Fw-1-Mailinglist (E-mail)" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: RE: [FW1] FTP-PORT-Mode is broken
From: "Frost, Timothy E" <timothy.frost@eds.com>
Date: Wed, 22 Mar 2000 12:54:39 +1200
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com


Curtis, Matthias,

This is related to one of the frequently-asked questions on Phoneboy.  The
question as it appears on Phoneboy (
http://www.phoneboy.com/fw1/faq/0106.html )
is:
        I have defined several consecutive tcp high ports for a TCP service
I need to allow through the firewall. However, it seems like my FTP sessions
no longer work. At times, they appear to "hang." After several attempts, FTP
works again. 
        Any ideas as to what's wrong? 

 




-- 
Timothy Frost                   mailto:Timothy.Frost@eds.com
EDS New Zealand                 Fax: +64-4-474-5565
8 Gilmer Terrace                        Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand

> -----Original Message-----
> From: Sherwood, Curtis [SMTP:Curtis.Sherwood@mit-it.com]
> Sent: Wednesday, March 22, 2000 2:18 AM
> To:   Fw-1-Mailinglist (E-mail)
> Subject:      FW: [FW1] FTP-PORT-Mode is broken
> 
> 
> I am forwarding this to the entire list because I tried to send this
> directly back to Mattis and it returned back an error to me.  If Mattis
> and
> anyone else could reply I would be very grateful.
> 
> Thank You 
> 
> Curtis 
> 
> -----Original Message-----
> From: Sherwood, Curtis 
> Sent: Monday, March 20, 2000 6:38 PM
> To: 'Matthias Weigel'
> Subject: RE: [FW1] FTP-PORT-Mode is broken
> 
> 
> Hi Mattias,
> 
>       I wish I could tell you I had a fix for this but unfortunately we
> are facing the exact same problem.  I was wondering if you would mind
> letting me know exactly what it is you used for a rule.  We have a Compaq
> Proliant 1600, NT 4.0 and FW1 4.0 Sp1.  I have a rule allowing FTP and
> highports out, I tried unchecking the Enable FTP Port Connections from
> Policy properties and adding the rule to allow incoming FTP Data on port
> 20
> but this did not work, I also allowed FTP and highports in but it still
> failed.  My FTP connection appeared to be going out in the logs but failed
> on the client.  I am new to this so if it appears that I'm overlooking the
> obvious please let me know.  I'm also concerned at what risk I'm putting
> our
> Network at if I allow this traffic in on a rule.  I would appreciate any
> help you could give me.  
> 
> Thank You 
> 
> Curtis
> 
> -----Original Message-----
> From: Matthias Weigel [mailto:matthias.weigel@isonova.de]
> Sent: Monday, March 20, 2000 12:25 PM
> To: fw-1-mailinglist@lists.us.checkpoint.com
> Subject: [FW1] FTP-PORT-Mode is broken
> 
> 
> 
> Hi,
> 
> i have a strange problem with FTP-PORT-mode in firewall-1.
> Environment:
>       -Firewall: Sun Ultra450 or SS4, Solars 2.6, FW1 V4.0 SP5
>       -FTP-Server: Solaris2.6, Ultra10 or RH-Linux 6.1
>       -FTP-Client: Windows95 or WindowsNT
> The FTP-Server is connected to the FW-1 via ethernet. Connection between
> FW-1 and FTP-client is via Ethernet or ISDN dialup or Internet.
> 
> The Problem: (Properties: FTP-PORT-Mode checked on)
> In a directory with e.g. 100 files, if i do an MGET * from the
> commandline-ftp with PROMPT disabled, some files are transfered. However
> at random the ftp-control-connection is being shut down by the Firewall.
> There is a log entry type "reject", rule 0, info: "reason: tried to open
> tcp service port, port: xxx" where xxx is a dynamically assigned port
> number from the ftp protocol.
> It is totally random, when this problem happens (how many files
> transfered successfully before breaking). A file is allways transfered
> successfully or not at all. 
> If in properties FTP-PORT-Mode is not checked and a rule is added to
> allow the ftp-data connections then everything is o.k. However then
> statefull handling of ftp is lost.
> There is no problem with FTP-PASV.
> The problem originally appeared on a production
> E450/Solaris2.6/FW1-V4.0SP5. However i could duplicate it in my lab with
> a SS4/Solaris 2.6/FW1-V4.0 SP1, SP3 and SP5. The rulebase contained two
> rules: any-any-ftp-accept and any-any-any-accept. The problem exists
> with and without the use of ftp resources.
> The problem seems to be independent of the ftp-client or ftp-server in
> use.
> 
> - What does the errormessage exactly mean? I could not find it in the
> docs.
> - Is somebody else having the same problem?
> - Is there a solution other than opening all "high" ports for ftp-data
> via an extra rule and loosing stateful handling of ftp-port-mode?
> 
> 
> Thanks for your Input
> 
> 
> Matthias Weigel
> ISOnova GmbH
> 
> 
> ==========================================================================
> ==
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ==
> ====
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Backup Files/rules does not work?
Next by Date: [FW1] Help - Address translation broke
Prev by thread: Re: FW: [FW1] FTP-PORT-Mode is broken
Next by thread: Re: [FW1] FTP-PORT-Mode is broken
Index(es):
- Date
- Thread