This was posted to the Firewall-1 list last week, w/o luck.
I'm in digest form, so if I could ask for any responses to be CC'd
to me directly, in addition to the list would be greatly appreciated.
- - -
I'm having trouble understanding how FW-1 calculates port
numbers when a client FTP's through our firewall to an FTP
server in a DMZ. The setup is;
ftpclient----fw----ftpsvr
I did a snoop on both fw interfaces and the command the client
sends is;
ftpclient -> ftpsvr FTP C port=1084 PORT a,b,c,d,4,61
and the firewall 'translates' to;
fw -> ftpsvr FTP C port=42353 PORT w,x,y,z,16
I know that the DATA port for the ftpclient will be
1085(256*4+61) and that the client address will be a.b.c.d. But
what I can't figure out, is how does the ftpsvr and the firewall
calulate their DATA port number? The second octet is missing.
Does FW-1 make an assumption about the last number? Is the
default starting port different than a 'regular' client (normally 1024)?
I read through many RFC's on FTP(not all) and could not find
any reference to how the 'normal' calculation is done. I called
ISS support and they claim to have no written documentation
on how Checkpoint does this or did they have anyone who
knows how this is done.
This came about, becuase we cannot get GEIS' software to
correctly deal with FTP. They claim their software can replace
FTP and the clien will not know. We will not be having 'normal'
FTP on this server. We will be using it for EDI transactions.
I have setup their software to listen on FTP
ports 21 and 20(and deactivated 'normal' FTP. But when it
it comes time to open the DATA port, GEIS tries to use the port
that was 'negotiated' between the ftpclient and the fw(which the
firewall drops), then tries the port which the firewall specified and
it too is dropped?? The following is the exported filtered logs and
are wrapped. I did cleanup addresses and names. The empty ""
are exactly from the log. The first one is of a 'normal' successful
FTP session. The second belongs to the two drops below.
"21Feb2000" "14:20:15" "qfe0" "m.n.o.p" "accept" "ftp"
"ftpclient" "ftpsvr" "tcp" "7" "1084" "fw" "ftpsvr" "42353" "ftp"
"21Feb2000" "14:29:34" "qfe0" "m.n.o.p" "accept" "ftp"
"ftpclient" "ftpsvr" "tcp" "7" "1089" "fw" "ftpsvr" "44278" "ftp"
And here is the two drops referenced above.
"21Feb2000" "14:29:45" "qfe5" "m.n.o.p" "drop" "1090"
"ftpsvr" "ftpclient" "tcp" "34" "32862" "ftpsvr" "fw" "32862" "44312"
"21Feb2000" "14:31:25" "qfe5" "m.n.o.p" "drop" "44312"
"ftpsvr" "fw" "tcp" "4" "32862" "" "" "" ""
Any and all help is much appreicated. Thank you all for 'listening'!
Robert
- -
Robert P. MacDonald, Network Engineer
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
