[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FTP problems
I had two problems with passive ftp on firewall-1 ver 4.0 SP5 (1). If the data port (which is greater that 1024) happens to be a defined port in your firewalls objects.C table then the firewall would drop this. (2). If the ftp client using passive ftp was transfering large number of small files the client would for some reason try to connect to a different data port after some time and the firewall would drop this connection, the client still tries to use the same port. My guess is that the PORT command that the server send to the client for data connection from the client is recognized by the firewall the first time and the initial data connection goes fine. The second PORT command from the server to the client is being missed by the firewall and when the client tries to connect to the port specified by the server, it is being dropped by the firewall. For problem (1) I made the following changes in the base.def file ---------------------------------------------------------------------------- ----------- // ports which are dangerous to connect to define NOTSERVER_TCP_PORT(p) { (not ( ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0, set sr12 p, set sr1 0, log bad_conn) or ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p, set sr1 0, log bad_conn) ) ) }; ---------------------------------------------------------------------------- ----------- WAS CHANGED TO ---------------------------------------------------------------------------- ----------- // ports which are dangerous to connect to define NOTSERVER_TCP_PORT(p) { (not // ( // ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0, // set sr12 p, set sr1 0, log bad_conn) // or ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p, set sr1 0, log bad_conn) // ) ) }; ---------------------------------------------------------------------------- ----------- *********************************************************************** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|