Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FTP problems

To: "'Will Schwartz'" <[email protected]>, Chris F <[email protected]>, "Timothy K. Cornelius" <[email protected]>, [email protected]
Subject: RE: [FW1] FTP problems
From: "Kumar, Preet (Exchange)" <[email protected]>
Date: Tue, 13 Feb 2001 08:33:42 -0500
Sender: [email protected]


I had two problems with passive ftp on firewall-1 ver 4.0 SP5

(1).    If the data port (which is greater that 1024) happens to be a
defined port in your
        firewalls objects.C table then the firewall would drop this.
(2).    If the ftp client using passive ftp was transfering large number of
small files the client
        would for some reason try to connect to a different data port after
some time and the
        firewall would drop this connection, the client still tries to use
the same port.

        My guess is that the PORT command that the server send to the client
for data connection
        from the client is recognized by the firewall the first time and the
initial data connection
        goes fine. The second PORT command from the server to the client is
being missed by the
        firewall and when the client tries to connect to the port specified
by the server, it is
        being dropped by the firewall.

For problem (1) I  made the following changes in the base.def file
----------------------------------------------------------------------------
-----------
// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
                (not
                      (
                              ( p in tcp_services, set sr10 RCODE_TCP_SERV,
set sr11 0,
                                set sr12 p, set sr1 0, log bad_conn)
                      or
                                ( p < 1024, set sr10 RCODE_SMALL_PORT, set
sr11 0, set sr12 p,
                                  set sr1 0, log bad_conn)
                      )
                )
};
----------------------------------------------------------------------------
-----------
WAS CHANGED TO
----------------------------------------------------------------------------
-----------

// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
                (not

//                      (
//                              ( p in tcp_services, set sr10
RCODE_TCP_SERV, set sr11 0,
//                                set sr12 p, set sr1 0, log bad_conn)
//                      or
                                ( p < 1024, set sr10 RCODE_SMALL_PORT, set
sr11 0, set sr12 p,
                                  set sr1 0, log bad_conn)
//                        )
                  )
};

----------------------------------------------------------------------------
-----------





***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation, 
offer or agreement or any information about any transaction, customer 
account or account activity contained in this communication.
***********************************************************************



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Port Range!!!
Next by Date: [FW1] SecuRemote: download userc.C file in distributed environment
Previous by thread: Re: [FW1] FTP problems
Next by thread: [FW1] CPMAD
Index(es):
- Date
- Thread