NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Reverse socket proxying... (wait for it) FTP thru FW1



You might be having problems that would be solved by PASV ftp.
Problem is, according to a lot of people you run into, MSProxy
does not do PASV mode ftp. WRONG!

You have to do it through a registry setting. There are no
options under any of the gui config panels...but you can get
PASV ftp to work. Unless you have made this registry change,
then MSProxy was not running PASV.

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
FirewallyGuy
Sent: Wednesday, January 10, 2001 7:37 AM
To: [email protected]
Subject: [FW1] Reverse socket proxying... (wait for it) FTP thru FW1



Greetings,

I'm sure someone out there in list-land is doing this,
so here goes.

I'm stuck with the problem of how to securely allow
ftp transfers from the internet to an NT ftp server on
the internal network. Putting the ftp server in a DMZ
isn't really an option since due to other
requirements, full NetBIOS functionality also needs to
be used to the ftp server (yes that old chestnut
again).

The suggested solution was to use Microsoft Proxy v2
to reverse proxy the ftp connections to the internal
ftp server via a DMZ located proxy server. The problem
is that while CMD connections from the proxy to the
internal ftp server work fine (the ftp server sees the
IP of the proxy as you'd expect), the DATA connections
appear to still have the external IP of the client in
them, and so the firewall is rejecting the connections
on rule 0 (Tried to open other host) - this is normal
functionality to prevent ftp port bouncing.

Of course, the reason for this is that the proxy
software isn't replacing the clients IP address in the
normal PORT command with the proxys IP. Interestingly,
the firewall appears not only to recognise the "port
bounce", but it reacts by killing the already allowed
CMD connection as a result.

Surely someone out there must have some method of
reverse proxying FTP connections - or is there another
way of doing this?

To reiterate:

1) The ftp server cannot sit on a DMZ because I
*REFUSE* to allow NetBIOS through my firewalls in any
way, shape or form, for well-known and lamented
reasons.

2) FTP has to be used (as opposed to nice clean
transfer utils like Connect Direct et al) because the
requirement is that the customer cannot use any
third-party or non-standard software.

3) We've tried active ftp and passive ftp, but neither
appear to work for some reason. I had hedged my bets
on passive, since the data connection is initiated by
the client so there's no reverse connection from the
ftp server, however the proxy software doesn't appear
to make any attempt to change the internet address in
the PORT command to that of the proxy, so the firewall
burps loudly and rejects the connection.

Any experiences or solutions to this particular
problem would be greatly appreciated.

Cheers,

FirewallyGuy.

____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.