Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Please Help on ftp problem through FW1

To: [email protected]
Subject: [FW1] Please Help on ftp problem through FW1
From: [email protected]
Date: Mon, 6 Aug 2001 09:05:35 -0400
Sender: [email protected]

I have a problem with ftp's the my fw.  The standard ftp doesn't work.  The
ftp control connection gets set up but the ftp data connection does not.  I
am at build 41814.  I have seen phoneboy's site about trouble ftping that
seems to relate to may problem.

The TIS FTP proxy (used by both Gauntlet and the TIS Toolkit) send a port command in one packet and the "newline" character in another. By default,
FireWall-1 assumes the PORT command and the newline will appear in the same packet. To enable checking for this, uncomment out the following #define
statement in $FWDIR/lib/base.def on the management console:
//    Use this if you do not want the FW-1 module to insist on a newline at the
// end of the PORT command:
//#define FTPPORT(match)        (call KFUNC_FTPPORT <(match), [110, b]>)

A few lines above it should be another FTPPORT(match) definition that you comment out.  Re-install the rulebase.
If this trick does not work, it is likely because the FTP Data connection is not originating from port 20. FireWall-1 does not, by default, accept FTP
 Data connections that come from ports other than 20 unless it is a PASV connection. If you use the TIS Toolkit, check the Patches page on
www.fwtk.org. Alternatively, you can modify FireWall-1 to accept FTP on Different Ports.

Some other sites fail as well. This is because they do not send out a proper newline in their header and some versions of FireWall-1 check for this.
FireWall-1 4.0 SP7, 4.0 SP5 build 13 on Nokia, and 4.1 SP2 all have this behaviour. To resolve this comment out the following line in
$FWDIR/lib/base.def and reinstall the policy:

#define FTP_ENFORCE_NL


I have made the above changes but it didn't fix my problem.  I have a couple of questions about the above that I am hoping someone can answer.

1.  The changes to base.def  -- should they be made to the management station, fw module or both??
2.  Do these changes require a fwstop of either the management station, fw module or both??

Also, does anyone have any other ideas?

Thanks,
Donna



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] esafe gateway cvp
Next by Date: RE: [FW1] Code Red: What security specialist don't mention in war nings
Previous by thread: RE: [FW1] Installation Plan for Check Point Firewall-1 v4.1
Next by thread: RE: [fw1-wizards] RE: [FW1] OWA 2000 behind https security server
Index(es):
- Date
- Thread