[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Help!! Simple FTP Problem
Thanks a lot of sugestions about my ftp problem. i really appriciate you, ladies and gentlemen. now, it works great. here is what i've got: first, the problem was fixwed by editing /$FWDIR/lib/base.def as sugested. second, as [email protected] wrote, my ftp server was not appropriate, too. when i tried to integrate another firewall environment with another ftp server as a test, that did work, well. then, i got original /$FWDIR/lib/base.def back in original place with another ftp server. it did work. anyways, thanks a lot and i appriciate with regards. and sorry about taking your time. if i could, i would like to know what number of RFC i did not follow, that is what i should check by myself, though. thanks!! On Mon, 26 Feb 2001 12:36:40 -0600 [email protected] wrote: > Keigo, I had to make the following changes (unfortunately, one at a time), > in order to get FTP to work for all of the situations that it didn't work > out of the box. As I understand it, these fixes are necessary because the > FTP server that you are trying to get to does not strictly follow RFC > standards. > > ---------------------------------------------------------------------------- > -- > To not force the newline of FTP modify /$FWDIR/lib/base.def as follows: > - comment out the following line by adding 2 slashes to the begining: > #define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>) > - uncomment the following line by removing the slashes at the beginning > // #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>) > --------------------------------------------------------------------- > To allow High ports with FTP modify /$FWDIR/lib/base.def as follows: > Replace the following: > // ports which are dangerous to connect to > define NOTSERVER_TCP_PORT(p) { > (not > ( > ( p in tcp_services, set sr10 > RCODE_TCP_SERV,set sr11 0, > set sr12 p, set sr1 0, log bad_conn) > or > ( p < 1024, set sr10 RCODE_SMALL_PORT, set > sr11 0, set sr12 p, > set sr1 0, log bad_conn) > ) > ) > }; > > with: > // ports which are dangerous to connect to > define NOTSERVER_TCP_PORT(p) { > (not > ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr > set sr1 0, log bad_conn) > ) > }; > --------------------------------------------------------------------- > Problem: FTP gets Network Error: Connection reset by peer > > See http://www.checkpoint.com/techsupport/alerts/pasvftp.html > > comment out the line: #define FTP_ENFORCE_NL in $FWDIR/lib/base.def > ---------------------------------------------------------------------------- > ------------ > > -----Original Message----- > From: Keigo Hanaoka [mailto:[email protected]] > Sent: Monday, February 26, 2001 2:28 AM > To: [email protected] > Subject: [FW1] Help!! Simple FTP Problem > > > > > Does anyone tell me how i can deal with > simple FTP connection via FW1-v4.1 SP 3 (on AIX) ?? > > This was like a duplicated question, but probably > my case would be simpler. > > FTP server is on DMZ, FTP clients are in both > internal network and Internet. > FTP server itself should be no problem because > another machine on DMZ is able to connect with ftp. > > it would be a problem when ftp was going through the FW1. > > i am trying FTP connection from Internet (or internal) side > towards DMZ, and the first connection > (which means just connect to the server,) > is no problem. > when the server is trying to reply to the client, the Firewall > drop the connection based on rule zero!! > the client cannot log in, that is.., > it droped before the ftp control would be established. > > i checked that both "Enable FTP Port" and "Enable > FTP PASV" are checked, on the "service" of "Properties Setup." > > Address translation would be quite simplly set. > > ANY FTP(Global)------>ANY FTP(Private) > ANY FTP(Private)----->ANY FTP(Global) > > Also, the current policy is just: > > Source Destination Service > > ANY FTP_server(Global IP) ftp accept > ANY ANY ANY Drop > > Please help me!! > appriciate with regards ********************************************* Keigo Hanaoka <[email protected]> e-business Infrastructure Integration Div. Unauthorized Access Countermeasures Dept. LAC Co.,Ltd. http://www.lac.co.jp/security/ Phone +81-3-5531-0332 FAX +81-3-5531-0142 ********************************************* ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|