[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ftp reject "reason: tried to open up other host port"

To: axel.hoffmann@eckmann.de, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] ftp reject "reason: tried to open up other host port"
From: "[iso-8859-1] Ángel Luis Pérez Hernández" <angel@workflow.es>
Date: Wed, 13 Oct 1999 18:25:42 +0200

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


    I'm afraid I'm not good at all with Inspect either. But I don't know
what's happening to you. I didn't have to create the ftp-server-ports at
all. I just uncommented the line in the base.def file. What I've learned
from this is that this message comes from an incorrect "PORT" command. From
the trace, have all of your "PORT" commands the address of the client? Don't
you have any "PORT" command without an address? I mean, with a blank, a
newline or anything different from an address. Don't you have "PORT"
commands when you wouldn't expect one?

    Regards
    Angel

----- Original Message -----
From: Axel Hoffmann <axel.hoffmann@eckmann.de>
To: 'Angel Luis Perez Hernandez' <angel@workflow.es>
Cc: <fw-1-mailinglist@lists.us.checkpoint.com>
Sent: Wednesday, October 13, 1999 5:24 PM
Subject: AW: [FW1] ftp reject "reason: tried to open up other host port"


> Hi Angel,
> I traced the connection (my customer did because his site is quite far
> away) and all the connections seem to come from the same IP-Address. I did
> the modifications suggested by phoneboy but I am not sure if it works. The
> example from phoneboy is for a V3.0 FW and the definitions in V4.0 are
> quite different. I am not so very good in inspect so I did as less
> modifications as possible. Perhaps you can check if these modifications
are
> correct. I did the construction with "not" and "p<1024" because I dont
know
> the meaning of the parameter behind the "p".
>
> Here is my definition of "FTP-Server-Ports":
>
>
> define FTP_NOTSERVER_TCP_PORT(p) {
> (not
> ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
>   set sr1 0, log bad_conn)
> )
> };
>
> and then in the definition of ftp I have (only in the active ftp section
> because that is the one which is causing problems ):
>
>
> #define ftp_accept_port \
> r_cdir = 1, dport = SERV_ftp or origdport = SERV_ftp, tcp, \
> IS_PORT_CMD, set sr1 FTPPORT(0), \
> direction = 1 or FTPPORT_ANTICIPATE(sr1), \
> set sr1 FTPPORT(FTPPORT_MATCH), sr1 != 0 or (WRONG_HOST_LOG,reject),\
> FTP_NOTSERVER_TCP_PORT(sr1) or reject, \
> direction = 0 or FTPPORT_ANTICIPATE(sr1), \
> ( \
> ftp_accept_port_enc(sr1) \
> ) or ( \
> ftp_accept_port_clear(sr1) \
> ), \
> accept_fwz_as_clear(r_ctype)
>
> Do I have to do anything else or doent it work at all?
>
> TIA
>
> Axel
>
>
> Eckmann Netzwerkservice GmbH
>
> Sylvesterallee 2
> 22525 Hamburg
>
> Tel.:040/54706-195
> Fax:040/54706-111
> E-Mail:axel.hoffmann@eckmann.de
>
> URL:www.eckmann.de
>
> > -----Ursprungliche Nachricht-----
> > Von: Angel Luis Perez Hernandez [SMTP:angel@workflow.es]
> > Gesendet am: Mittwoch, 13. Oktober 1999 09:59
> > An: Hoffmann, Axel
> > Betreff: RE: [FW1] ftp reject "reason: tried to open up other host port"
> >
> >     Have you tried tracing the connection? I tried the "FTPPORT"
> > modification and didn't work, so I "sniffed" the connection and found
> there
> > was a NIC card in the PC and a "PORT" command with the NIC address was
> being
> > sent, and FW-1 showed it (logically) as "trying to open another host
> port".
> >
> >     Look in the trace for the "PORT" commands and try to find if there
> are
> > any strange addresses in them or there is any "PORT" without address.
> >
> >     Regards
> >     Angel Luis Perez
> >
> > ----- Original Message -----
> > From: Axel Hoffmann <axel.hoffmann@eckmann.de>
> > To: <michel.martin@mrn.gouv.qc.ca>; <msallen3@yahoo.com>;
> > <fw-1-mailinglist@lists.us.checkpoint.com>
> > Sent: Wednesday, October 13, 1999 9:10 AM
> > Subject: AW: [FW1] ftp reject "reason: tried to open up other host port"
> >
> >
> > >
> > > Hi,
> > > Thanks for the hint, but I already tried that.
> > >
> > > REGARDS;
> > >
> > > Axel Hoffmann
> > >
> > >
> > > Ihre Meinung ist uns wichtig!
> > > mitmachen und gewinnen unter http://www.eckmann.de
> > >
> > >
> > > Eckmann Netzwerkservice GmbH
> > >
> > > Sylvesterallee 2
> > > 22525 Hamburg
> > >
> > > Tel.:040/54706-195
> > > Fax:040/54706-111
> > > E-Mail:axel.hoffmann@eckmann.de
> > >
> > > URL:www.eckmann.de
> > >
> > > > -----Ursprungliche Nachricht-----
> > > > Von: michel.martin@mrn.gouv.qc.ca
[SMTP:michel.martin@mrn.gouv.qc.ca]
> > > > Gesendet am: Dienstag, 12. Oktober 1999 20:03
> > > > An: Hoffmann, Axel; msallen3@yahoo.com;
> > fw-1-mailinglist@lists.us.checkpoint.com
> > > > Betreff: RE: [FW1] ftp reject "reason: tried to open up other host
> port"
> > > >
> > > >  << Datei: ATT00023.txt; charset = windows-1252 >>  << Datei:
> FireWall-1
> > FAQ- High Port TCP Services and FTP.url >>
> > >
> > >
> > >
> > >
> >
> ========================================================================
> ====
> > ====
> > >      To unsubscribe from this mailing list, please see the
instructions
> at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> >
> ========================================================================
> ====
> > ====
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] HTTP problems through VPN
Next by Date: [FW1] Nokia and Monitored Circuit
Prev by thread: RE: [FW1] ftp reject "reason: tried to open up other host port"
Next by thread: RE: [FW1] ftp reject "reason: tried to open up other host port"
Index(es):
- Date
- Thread