NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FTP-problems



I don't know whether this is the problem you are experiencing, but I have discovered a workaround for an FTP/NAT problem that we had here.  This problem occurs when an external client tries to access a NAT'ed internal FTP server using PASV mode when the internal IP address has one less digit than the external NAT address.  The PASV command causes the FTP server to reply with "227 Entering Passive Mode (11,222,3,222,14,49).." (fictitious internal IP address of 11.222.3.222).  The firewall has to perform NAT on this packet, so it has to go into the application data to update the PASV reply with the external address, "227 Entering Passive Mode (222,33,44,222,14,49).." (fictitious external IP address of 222.33.44.222).  Since this second address is one byte longer than the internal address, the firewall has to increase the size of the outbound packet by one and increase the packet sequence number by one.  The session then continues with the internal sequence number for each subs!
equent packet decremented by one from the value on the external packet, with the firewall keeping track of the change without apparent flaw, until a second PASV command is received.  When the second PASV reply is sent by the server another byte has to be added to the external packet and the sequence number has to incremented by an additional one.  The firewall then has to increment all external sequence numbers by two which it does fine on the outbound packet.   However, when the reply from the client returns through the firewall, the firewall only decrements the sequence ack by one instead of two.  This causes a mismatch between what the server thinks it's next sequence number is and the ack received from the client.  The mismatch is unresolvable, so the session times out.

A potential work-around for this problem is to change the address of the internal server to have the same number of bytes as the external address.  Then, the internal and external packets will always be the same length.


-----Original Message-----
From: Sadir Al-khafaji [mailto:[email protected]]
Sent: Tuesday, May 14, 2002 3:03 AM
To: [email protected]
Subject: Re: [FW-1] FTP-problems


Thank you for the third resolution i have contacted support@nokia and
asked for this . 3306 fixes most µ$ servers & proxies that can sit in
between afaik  that is so correct.
3414=1624
Although after testing 1624 which should be enough to resolve the
mainframe problem the problem was still there this means that it must be
1624 i was looking for this answer but to be frank it won't work on FP2
i wonder if any1 has tested how to implemnt it on FP2 thanx in advance.


//Sadir

Croft, Ed wrote:

> We were having the same problem with FTP between a Mainframe and a bunch of
> Microsoft FTP servers.  It appears to be corrected now.  There were three
> Nokia Resolutions that we applied in a "shotgun" approach to fix a
> Production problem (the Mainframe is owned by another company and they are
> not super cooperative).  I'm sorry that I don't have the specific answer to
> which one fixed our problem, but this is what we did:
>
> 1.      Modified the base.def file to comment out "#define FTP_ENFORCE_NL"
> (Nokia Resolution 3306)
>
> 2.      Modified the base.def file to un-comment out "//#define
> FTP_NON_STANDARD" and created a new service (Nokia Resolution 3414):
>
> Name:           FTP_Control_21
> Match field:    tcp,dport=21
> Prologue field: ftp_accept_serv
>
> 3.      Modified the base.def file from (Nokia Resolution 1624):
>
> // ports which are dangerous to connect to
> define NOTSERVER_TCP_PORT(p) {
> (not
> (
> ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11
> 0,
> set sr12 p, set sr1 0, log bad_conn)
> or
> ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set
> sr12 p,
> set sr1 0, log bad_conn)
> )
> )
> };
>
> to:
>
> // ports which are dangerous to connect to
> define NOTSERVER_TCP_PORT(p) {
> (not
> ( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0, set sr12 p,
> set sr1 0, log bad_conn)
> )
> };
>
>         Finally, we create a rule that looks like:
>
> Source:
>
> Mainframe, Microsoft FTP servers
>
> Destination:
>
> Mainframe, Microsoft FTP servers
>
> Service:
>
> FTP_Control_21, FTP Used Ports (TCP 20 & 21, UDP 20 & 21), ftp-active (user
> defined service with the Match field containing:
> tcp,dport>=1024,dport<=65535)
>
> Hope this helps...
>
> -Ed
>
> -----Original Message-----
> From: Jason Maley [mailto:[email protected]]
> Sent: Wednesday, May 08, 2002 4:52 AM
> To: [email protected]
> Subject: Re: [FW-1] FTP-problems
>
>
> We're having the same problems and have had no luck yet either.  We have
> tried the base.def mods as well.  I'll keep looking on our side for an
> answer.
>
> -Jason
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Sadir
> Al-khafaji
> Sent: Wednesday, May 08, 2002 6:03 AM
> To: [email protected]
> Subject: Re: [FW-1] FTP-problems
>
>
> I have done something similar really i have defined a wizard object.
>
> other TCP
>
> main
> tcp, dport >= 1024, dport <= 65535
>
> didn't help
>
> //Sadir
> Mustetab Ali Khan wrote:
>
>
>>hi,
>>
>>try by giving ftp with resource .. i.e. create an ftp resource and in the
>>service column select add with resource ...
>>
>>Rgds
>>
>>-----Original Message-----
>>From: Sadir Al-khafaji [mailto:[email protected]]
>>Sent: Wednesday, May 08, 2002 2:56 PM
>>To: [email protected]
>>Subject: Re: [FW-1] FTP-problems
>>
>>
>>Hmmm but that is for the port-command and not for passive FTP.
>>
>>Thanks
>>Sadir
>>
>>Torkel Mathisen wrote:
>>
>>
>>
>>>Ok. Have you also tried:
>>>
>>>Disable the line:
>>>#define FTPPORT(match)       (call KFUNC_FTPPORT <0x1|(match)>)
>>>
>>>Enable the line:
>>>#define FTPPORT(match)  (call KFUNC_FTPPORT <(match)>)
>>>
>>>Regards,
>>>Torkel
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Sadir Al-khafaji [mailto:[email protected]]
>>>>Sent: 7. mai 2002 16:02
>>>>To: [email protected]
>>>>Subject: Re: [FW-1] FTP-problems
>>>>
>>>>
>>>>already done that. Thanx
>>>>
>>>>Torkel Mathisen wrote:
>>>>
>>>>
>>>>
>>>>
>>>>>In base.conf try and disable: #define FTP_ENFORCE_NL
>>>>>
>>>>>It should now read // #define FTP_ENFORCE_NL
>>>>>
>>>>>Regards,
>>>>>Torkel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Sadir Al-khafaji [mailto:[email protected]]
>>>>>>Sent: 7. mai 2002 10:00
>>>>>>To: [email protected]
>>>>>>Subject: [FW-1] FTP-problems
>>>>>>
>>>>>>
>>>>>>I have a problem with ftp at certain times. It's a Mainframe to
>>>>>>Mainframe ftp session and sometimes the ftp-data connection
>>>>>>
>>>>>>
>>>>>>
>>>>cannot be
>>>>
>>>>
>>>>
>>>>>>opened. i allowed port 20, 21, FTP-PASV, FTP-PORT, HIGH-PORTS, and i
>>>>>>still have the same problem. it is the first rule in the rule-base
>>>>>>Any ideas.
>>>>>>
>>>>>>Cheers
>>>>>>//Sadir
>>>>>>
>>>>>>=================================================
>>>>>>To set vacation, Out Of Office, or away messages,
>>>>>>send an email to [email protected]
>>>>>>in the BODY of the email add:
>>>>>>set fw-1-mailinglist nomail
>>>>>>=================================================
>>>>>>To unsubscribe from this mailing list,
>>>>>>please see the instructions at
>>>>>>http://www.checkpoint.com/services/mailing.html
>>>>>>=================================================
>>>>>>If you have any questions on how to change your
>>>>>>subscription options, email
>>>>>>[email protected]
>>>>>>=================================================
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>=================================================
>>>>>To set vacation, Out Of Office, or away messages,
>>>>>send an email to [email protected]
>>>>>in the BODY of the email add:
>>>>>set fw-1-mailinglist nomail
>>>>>=================================================
>>>>>To unsubscribe from this mailing list,
>>>>>please see the instructions at
>>>>>http://www.checkpoint.com/services/mailing.html
>>>>>=================================================
>>>>>If you have any questions on how to change your
>>>>>subscription options, email
>>>>>[email protected]
>>>>>=================================================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>=================================================
>>>>To set vacation, Out Of Office, or away messages,
>>>>send an email to [email protected]
>>>>in the BODY of the email add:
>>>>set fw-1-mailinglist nomail
>>>>=================================================
>>>>To unsubscribe from this mailing list,
>>>>please see the instructions at
>>>>http://www.checkpoint.com/services/mailing.html
>>>>=================================================
>>>>If you have any questions on how to change your
>>>>subscription options, email
>>>>[email protected]
>>>>=================================================
>>>>
>>>>
>>>>
>>>>
>>>=================================================
>>>To set vacation, Out Of Office, or away messages,
>>>send an email to [email protected]
>>>in the BODY of the email add:
>>>set fw-1-mailinglist nomail
>>>=================================================
>>>To unsubscribe from this mailing list,
>>>please see the instructions at
>>>http://www.checkpoint.com/services/mailing.html
>>>=================================================
>>>If you have any questions on how to change your
>>>subscription options, email
>>>[email protected]
>>>=================================================
>>>
>>>
>>>
>>=================================================
>>To set vacation, Out Of Office, or away messages,
>>send an email to [email protected]
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>[email protected]
>>=================================================
>>
>>=================================================
>>To set vacation, Out Of Office, or away messages,
>>send an email to [email protected]
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>[email protected]
>>=================================================
>>
>>
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.