Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] FTP-problems

To: [email protected]
Subject: Re: [FW-1] FTP-problems
From: "Croft, Ed" <[email protected]>
Date: Mon, 13 May 2002 08:17:07 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
We were having the same problem with FTP between a Mainframe and a bunch of
Microsoft FTP servers.  It appears to be corrected now.  There were three
Nokia Resolutions that we applied in a "shotgun" approach to fix a
Production problem (the Mainframe is owned by another company and they are
not super cooperative).  I'm sorry that I don't have the specific answer to
which one fixed our problem, but this is what we did:

1.      Modified the base.def file to comment out "#define FTP_ENFORCE_NL"
(Nokia Resolution 3306)

2.      Modified the base.def file to un-comment out "//#define
FTP_NON_STANDARD" and created a new service (Nokia Resolution 3414):

Name:           FTP_Control_21
Match field:    tcp,dport=21
Prologue field: ftp_accept_serv

3.      Modified the base.def file from (Nokia Resolution 1624):

// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11
0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set
sr12 p,
set sr1 0, log bad_conn)
)
)
};

to:

// ports which are dangerous to connect to
define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
set sr1 0, log bad_conn)
)
};

        Finally, we create a rule that looks like:

Source:

Mainframe, Microsoft FTP servers

Destination:

Mainframe, Microsoft FTP servers

Service:

FTP_Control_21, FTP Used Ports (TCP 20 & 21, UDP 20 & 21), ftp-active (user
defined service with the Match field containing:
tcp,dport>=1024,dport<=65535)

Hope this helps...

-Ed

-----Original Message-----
From: Jason Maley [mailto:[email protected]]
Sent: Wednesday, May 08, 2002 4:52 AM
To: [email protected]
Subject: Re: [FW-1] FTP-problems


We're having the same problems and have had no luck yet either.  We have
tried the base.def mods as well.  I'll keep looking on our side for an
answer.

-Jason

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Sadir
Al-khafaji
Sent: Wednesday, May 08, 2002 6:03 AM
To: [email protected]
Subject: Re: [FW-1] FTP-problems


I have done something similar really i have defined a wizard object.

other TCP

main
tcp, dport >= 1024, dport <= 65535

didn't help

//Sadir
Mustetab Ali Khan wrote:

> hi,
>
> try by giving ftp with resource .. i.e. create an ftp resource and in the
> service column select add with resource ...
>
> Rgds
>
> -----Original Message-----
> From: Sadir Al-khafaji [mailto:[email protected]]
> Sent: Wednesday, May 08, 2002 2:56 PM
> To: [email protected]
> Subject: Re: [FW-1] FTP-problems
>
>
> Hmmm but that is for the port-command and not for passive FTP.
>
> Thanks
> Sadir
>
> Torkel Mathisen wrote:
>
>
>>Ok. Have you also tried:
>>
>>Disable the line:
>>#define FTPPORT(match)       (call KFUNC_FTPPORT <0x1|(match)>)
>>
>>Enable the line:
>>#define FTPPORT(match)  (call KFUNC_FTPPORT <(match)>)
>>
>>Regards,
>>Torkel
>>
>>
>>
>>>-----Original Message-----
>>>From: Sadir Al-khafaji [mailto:[email protected]]
>>>Sent: 7. mai 2002 16:02
>>>To: [email protected]
>>>Subject: Re: [FW-1] FTP-problems
>>>
>>>
>>>already done that. Thanx
>>>
>>>Torkel Mathisen wrote:
>>>
>>>
>>>
>>>>In base.conf try and disable: #define FTP_ENFORCE_NL
>>>>
>>>>It should now read // #define FTP_ENFORCE_NL
>>>>
>>>>Regards,
>>>>Torkel
>>>>
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Sadir Al-khafaji [mailto:[email protected]]
>>>>>Sent: 7. mai 2002 10:00
>>>>>To: [email protected]
>>>>>Subject: [FW-1] FTP-problems
>>>>>
>>>>>
>>>>>I have a problem with ftp at certain times. It's a Mainframe to
>>>>>Mainframe ftp session and sometimes the ftp-data connection
>>>>>
>>>>>
>>>cannot be
>>>
>>>
>>>>>opened. i allowed port 20, 21, FTP-PASV, FTP-PORT, HIGH-PORTS, and i
>>>>>still have the same problem. it is the first rule in the rule-base
>>>>>Any ideas.
>>>>>
>>>>>Cheers
>>>>>//Sadir
>>>>>
>>>>>=================================================
>>>>>To set vacation, Out Of Office, or away messages,
>>>>>send an email to [email protected]
>>>>>in the BODY of the email add:
>>>>>set fw-1-mailinglist nomail
>>>>>=================================================
>>>>>To unsubscribe from this mailing list,
>>>>>please see the instructions at
>>>>>http://www.checkpoint.com/services/mailing.html
>>>>>=================================================
>>>>>If you have any questions on how to change your
>>>>>subscription options, email
>>>>>[email protected]
>>>>>=================================================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>=================================================
>>>>To set vacation, Out Of Office, or away messages,
>>>>send an email to [email protected]
>>>>in the BODY of the email add:
>>>>set fw-1-mailinglist nomail
>>>>=================================================
>>>>To unsubscribe from this mailing list,
>>>>please see the instructions at
>>>>http://www.checkpoint.com/services/mailing.html
>>>>=================================================
>>>>If you have any questions on how to change your
>>>>subscription options, email
>>>>[email protected]
>>>>=================================================
>>>>
>>>>
>>>>
>>>=================================================
>>>To set vacation, Out Of Office, or away messages,
>>>send an email to [email protected]
>>>in the BODY of the email add:
>>>set fw-1-mailinglist nomail
>>>=================================================
>>>To unsubscribe from this mailing list,
>>>please see the instructions at
>>>http://www.checkpoint.com/services/mailing.html
>>>=================================================
>>>If you have any questions on how to change your
>>>subscription options, email
>>>[email protected]
>>>=================================================
>>>
>>>
>>>
>>=================================================
>>To set vacation, Out Of Office, or away messages,
>>send an email to [email protected]
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>[email protected]
>>=================================================
>>
>>
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Follow-Ups:
- Re: [FW-1] FTP-problems
  - From: Sadir Al-khafaji <[email protected]>
Prev by Date: Re: [FW-1] IKE tunnel between 4.1 sp5 and cisco pix.
Next by Date: [FW-1] limits on Checkpoint
Previous by thread: Re: [FW-1] FTP-problems
Next by thread: Re: [FW-1] FTP-problems
Index(es):
- Date
- Thread