NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FTP transfer issues - base.def



Port command ended without newline.  I believe RFC calls for this, which is
why it's enforced.  Tell the company to fix their FTP program.

Tried to open a known service port.
RFC requires FTP to request ports above 1024 for transfers.

I have seen this problem with ARIEL doing this, but it runs on ports 422/419
which are nonstandard as is.  I had to create two rules, two inbound with
specific ports, and an outbound with specific ports.  This got around the
FTP inspect code and still allowed me to control what it was doing.

Here's my rules to handle ARIEL.

Inbound Rule
Any - ArielServers - 419 (proto type none)
Any - ArielServers - 422 (proto type none)
Outbound Rule
ArielServers - Any - 419 (proto type FTP)

If this is occurring on port 21/20 I would ask them to verify their FTP
program, because it should work without any problems.

Derek

-----Original Message-----
From: Daniel Samaan [mailto:[email protected]]
Sent: Wednesday, October 29, 2003 8:43 AM
To: [email protected]
Subject: [FW-1] FTP transfer issues - base.def

Having FTP issues with NG FP3, HF2, HFA_308

The two issues show up in the log as:
port command ended without newline
...tried to open a known service port

Because of this, many of our file transfers are failing.
I have found the solution. It involves changing the base.def. The first
error is a simple fix, I just need to change the line that looks for a new
line in the same packet as the port command. The second is also a simple
fix but it involves some risk. I will have to make the firewall accept ftp
file transfers on ports that I have already assigned. At the top of the
base.def, I will add
#define NO_SERVER_PORT_CHECK

The risk is that a hacker can now request a pre-defined port and get though
to other stuff in our network.

Here's my question to you:
What do you think the likelihood of someone exploiting this risk is?
If the risk is unacceptable, is there another solution?


Daniel Samaan
Technical Security Consultant
CCSP, CCSE, CCNA, CCA, MCSE+I
Cell:[email protected]

---------------------------------------------------------------------
Forsythe Solutions
5440 W. Fargo Avenue
Skokie, IL 60077
www.forsythe.com

 Delivering the Business Value of IT

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.