Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] High Port FTP

To: "Robert MacDonald" <[email protected]>
Subject: RE: [FW1] High Port FTP
From: "Iztok Umek" <[email protected]>
Date: Fri, 23 Feb 2001 14:29:57 -0500
Cc: <[email protected]>
Sender: [email protected]
Thread-index: AcCdsS+aoDFxFqpuTPOvZr67DsjGLwAHUKGQ
Thread-topic: [FW1] High Port FTP

> Did you check the box in Policy->Properties->
> Services->Enable FTP PORT Data Connections
> or add a rule to allow the data back connection.

Yes that is checked.

> Explain how you changed the FTP to the high
> port that your using. I'll assume(ack) that you
> changed the services file and restarted the FTP
> service via an 'init q'. Did you change the
> 'ftp-data 20/tcp' reference as well?

I did change /etc/services so both ftp is on higher port and ftp_data is
on higher port - 1

> Oh, and change the service type of your NEW
> service from 'FTP' to 'other'.

Done that too. Still no go.

 
> Checkpoint will try and keep track of this, but in v3.x and
> v4.0, you need to convince the software(via INSPEC) to
> track the new control and data ports. This is in addition to
> creating the new FTP service on the higher ports, which
> you should have done already.

I have CP 4.1 SP3

> 
> Phoneboy has a writeup, but I found it hard to read the
> first time through(many moons ago). Take a peek at his FAQ at
> http://www.phoneboy.com/fw1/faq/0158.html. 


They don't have thing for 4.1. Tried fpr 4.0 solution with 4.1 but
didn't work.


> If your still having troubles, send along the lines in your
> rulebase about FTP, what the new service is defined as,
> what policy properties are selected, and the log references
> showing any FTP drops/rejects.

I tried as TCP/FTP service with high port, didn't work. I did set up as
"Other" set up tcp, dport=high_port

The drop is when server sends on high_port-1 to the client.

Clearly FW doesn't know it is FTP connection trying to work here.

I did escalate this with CheckPoint already and waiting for them to see
where the problem is.

Thanks for help.

Regards,
	Iztok 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Installing license on Firewall Manager
Next by Date: [FW1] Service numbers on the firewall log
Previous by thread: RE: [FW1] High Port FTP
Next by thread: RE: [FW1] High Port FTP
Index(es):
- Date
- Thread