[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AW: [FW1] ftp reject "reason: tried to open up other host port"
Hi Angel,
I traced the connection (my customer did because his site is quite far
away) and all the connections seem to come from the same IP-Address. I did
the modifications suggested by phoneboy but I am not sure if it works. The
example from phoneboy is for a V3.0 FW and the definitions in V4.0 are
quite different. I am not so very good in inspect so I did as less
modifications as possible. Perhaps you can check if these modifications are
correct. I did the construction with "not" and "p<1024" because I dont know
the meaning of the parameter behind the "p".
Here is my definition of "FTP-Server-Ports":
define FTP_NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
set sr1 0, log bad_conn)
)
};
and then in the definition of ftp I have (only in the active ftp section
because that is the one which is causing problems ):
#define ftp_accept_port \
r_cdir = 1, dport = SERV_ftp or origdport = SERV_ftp, tcp, \
IS_PORT_CMD, set sr1 FTPPORT(0), \
direction = 1 or FTPPORT_ANTICIPATE(sr1), \
set sr1 FTPPORT(FTPPORT_MATCH), sr1 != 0 or (WRONG_HOST_LOG,reject),\
FTP_NOTSERVER_TCP_PORT(sr1) or reject, \
direction = 0 or FTPPORT_ANTICIPATE(sr1), \
( \
ftp_accept_port_enc(sr1) \
) or ( \
ftp_accept_port_clear(sr1) \
), \
accept_fwz_as_clear(r_ctype)
Do I have to do anything else or doent it work at all?
TIA
Axel
Eckmann Netzwerkservice GmbH
Sylvesterallee 2
22525 Hamburg
Tel.:040/54706-195
Fax:040/54706-111
E-Mail:axel.hoffmann@eckmann.de
URL:www.eckmann.de
> -----Ursprungliche Nachricht-----
> Von: Angel Luis Perez Hernandez [SMTP:angel@workflow.es]
> Gesendet am: Mittwoch, 13. Oktober 1999 09:59
> An: Hoffmann, Axel
> Betreff: RE: [FW1] ftp reject "reason: tried to open up other host port"
>
> Have you tried tracing the connection? I tried the "FTPPORT"
> modification and didn't work, so I "sniffed" the connection and found
there
> was a NIC card in the PC and a "PORT" command with the NIC address was
being
> sent, and FW-1 showed it (logically) as "trying to open another host
port".
>
> Look in the trace for the "PORT" commands and try to find if there
are
> any strange addresses in them or there is any "PORT" without address.
>
> Regards
> Angel Luis Perez
>
> ----- Original Message -----
> From: Axel Hoffmann <axel.hoffmann@eckmann.de>
> To: <michel.martin@mrn.gouv.qc.ca>; <msallen3@yahoo.com>;
> <fw-1-mailinglist@lists.us.checkpoint.com>
> Sent: Wednesday, October 13, 1999 9:10 AM
> Subject: AW: [FW1] ftp reject "reason: tried to open up other host port"
>
>
> >
> > Hi,
> > Thanks for the hint, but I already tried that.
> >
> > REGARDS;
> >
> > Axel Hoffmann
> >
> >
> > Ihre Meinung ist uns wichtig!
> > mitmachen und gewinnen unter http://www.eckmann.de
> >
> >
> > Eckmann Netzwerkservice GmbH
> >
> > Sylvesterallee 2
> > 22525 Hamburg
> >
> > Tel.:040/54706-195
> > Fax:040/54706-111
> > E-Mail:axel.hoffmann@eckmann.de
> >
> > URL:www.eckmann.de
> >
> > > -----Ursprungliche Nachricht-----
> > > Von: michel.martin@mrn.gouv.qc.ca [SMTP:michel.martin@mrn.gouv.qc.ca]
> > > Gesendet am: Dienstag, 12. Oktober 1999 20:03
> > > An: Hoffmann, Axel; msallen3@yahoo.com;
> fw-1-mailinglist@lists.us.checkpoint.com
> > > Betreff: RE: [FW1] ftp reject "reason: tried to open up other host
port"
> > >
> > > << Datei: ATT00023.txt; charset = windows-1252 >> << Datei:
FireWall-1
> FAQ- High Port TCP Services and FTP.url >>
> >
> >
> >
> >
>
========================================================================
====
> ====
> > To unsubscribe from this mailing list, please see the instructions
at
> > http://www.checkpoint.com/services/mailing.html
> >
>
========================================================================
====
> ====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================