Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Help!! Simple FTP Problem

To: [email protected]
Subject: Re: [FW1] Help!! Simple FTP Problem
From: Keigo Hanaoka <[email protected]>
Date: Tue, 27 Feb 2001 10:18:50 +0900
In-reply-to: <B7B17CEE6B6AD411A75A0001FAD4F98E6671EB@kssg_exchange.sedgwick.gov>
References: <B7B17CEE6B6AD411A75A0001FAD4F98E6671EB@kssg_exchange.sedgwick.gov>
Sender: [email protected]


Thanks a lot of sugestions about my ftp problem.
i really appriciate you, ladies and gentlemen.

now, it works great.

here is what i've got:

first, the problem was fixwed by editing /$FWDIR/lib/base.def
as sugested.

second, as [email protected] wrote, my ftp server was 
not appropriate, too.

when i tried to integrate another firewall environment with another
ftp server as a test, that did work, well.
then, i got original /$FWDIR/lib/base.def back in original place with 
another ftp server. it did work.

anyways, thanks a lot and i appriciate with regards.
and sorry about taking your time.

if i could, i would like to know what number of RFC i did not follow,
that is what i should check by myself, though.

thanks!!

On Mon, 26 Feb 2001 12:36:40 -0600
[email protected] wrote:

> Keigo,  I had to make the following changes (unfortunately, one at a time),
> in order to get FTP to work for all of the situations that it didn't work
> out of the box.  As I understand it, these fixes are necessary because the
> FTP server that you are trying to get to does not strictly follow RFC
> standards.
> 
> ----------------------------------------------------------------------------
> --
> To not force the newline of FTP modify /$FWDIR/lib/base.def as follows:
> - comment out the following line by adding 2 slashes to the begining:
>   #define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)
> - uncomment the following line by removing the slashes at the beginning
>   // #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
> ---------------------------------------------------------------------
> To allow High ports with FTP modify /$FWDIR/lib/base.def as follows:
> Replace the following:
> // ports which are dangerous to connect to
> define NOTSERVER_TCP_PORT(p) {
>                (not
>                        (
>                                 ( p in tcp_services, set sr10
> RCODE_TCP_SERV,set sr11 0,
>                                  set sr12 p, set sr1 0, log bad_conn)
>                         or
>                                 ( p < 1024, set sr10 RCODE_SMALL_PORT, set
> sr11 0, set sr12 p,
>                                  set sr1 0, log bad_conn)
>                         )
>                )
> };
> 
> with:
> // ports which are dangerous to connect to
> define NOTSERVER_TCP_PORT(p) {
>        (not
>                 ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr
>                  set sr1 0, log bad_conn)
>                )
> };
> ---------------------------------------------------------------------
> Problem:  FTP gets Network Error: Connection reset by peer
> 
> See http://www.checkpoint.com/techsupport/alerts/pasvftp.html
> 
> comment out the line: #define FTP_ENFORCE_NL in $FWDIR/lib/base.def
> ----------------------------------------------------------------------------
> ------------
> 
> -----Original Message-----
> From: Keigo Hanaoka [mailto:[email protected]]
> Sent: Monday, February 26, 2001 2:28 AM
> To: [email protected]
> Subject: [FW1] Help!! Simple FTP Problem
> 
> 
> 
> 
> Does anyone tell me how i can deal with 
> simple FTP connection via FW1-v4.1 SP 3 (on AIX) ??
> 
> This was like a duplicated question, but probably
> my case would be simpler.
> 
> FTP server is on DMZ, FTP clients are in both 
> internal network and Internet.
> FTP server itself should be no problem because
> another machine on DMZ is able to connect with ftp.
> 
> it would be a problem when ftp was going through the FW1.
> 
> i am trying FTP connection from Internet (or internal) side
> towards DMZ, and the first connection 
> (which means just connect to the server,)
> is no problem.
> when the server is trying to reply to the client, the Firewall
> drop the connection based on rule zero!!
> the client cannot log in, that is.., 
> it droped before the ftp control would be established.
> 
> i checked that both "Enable FTP Port" and "Enable
> FTP PASV" are checked, on the "service" of "Properties Setup."
> 
> Address translation would be quite simplly set.
> 
> ANY	FTP(Global)------>ANY	FTP(Private)
> ANY	FTP(Private)----->ANY	FTP(Global)
> 
> Also, the current policy is just:
> 
> Source		Destination		Service		
> 
> ANY		FTP_server(Global IP)	ftp	accept
> ANY		ANY			ANY	Drop
> 
> Please help me!!
> appriciate with regards


*********************************************
Keigo Hanaoka <[email protected]>
e-business Infrastructure Integration Div.
Unauthorized Access Countermeasures Dept.
LAC Co.,Ltd. http://www.lac.co.jp/security/
Phone +81-3-5531-0332 FAX +81-3-5531-0142
*********************************************



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Issuing putlic
Next by Date: [FW1] Why new version of firewall1 increase our internet speed??
Previous by thread: RE: [FW1] Help!! Simple FTP Problem
Next by thread: [FW1] Client auth cut problems
Index(es):
- Date
- Thread