Is there a way for you to tell GEIS to use a specific high port and lock
that ONE port in so you can set the rule in FW-1?
This is a problem I've come up against working with a couple of vendors who
want to talk to us through our firewall, I've literally had to sit in front
of the logs as people hammer away on the vendors app and watch for dropped
ports, just to add them to the rule to get it to work...
Good luck working with GEIS, let us know if they come up with an answer...
>From: "Robert MacDonald" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED], [EMAIL PROTECTED]
>Subject: Re: How FW-1 calculates PORT numbers
>Date: Wed, 01 Mar 2000 12:01:52 -0500
>
>J. T. B.,
>
>Thanks for responding(your the second one in two weeks.)
>
>Yes, if I specifically tell the firewall to allow these connections
>back, it works. But I want to run GEIS over the ports 21/20
>and allow FW-1 to track the sessions as a 'normal' FTP. IOW,
>I don't want to open these higher ports, just for the sake of
>'fixing' GEIS.
>
>If I only use 'normal' FTP, it works great. The firewall handles
>the whole session. I have enabled the data port in the policy
>properties.
>
>After speaking with GEIS technical support, I seemed to have
>come across something GEIS is aware of(and has other customers
>complaining about the same thing.)
>
>Their software ignores the port command and digs out the port#
>the client requested from deeper within the packet(this is supposedly
>how they know about the original port#.) GEIS said that this is the
>'newer' standard, but I have not been able to find RFC info on this.
>Any help on this 'standard' is welcome.
>
>It also seems that GEIS software is not responding from the port#
>defined for the DATA(20) port. They seem to arbitrarily pick a high port
>to respond with. GEIS is looking into this.?? If their software responded
>back with the right source port to the right destination port, I'm positive
>the firewall rules set for 'normal' FTP will prevail.
>
>btw, the other response I received, wanted to make
>sure that snoop wasn't cutting off(via the display) the port command after
>the 20th byte, so it appeared to be different from the normal. I don't
>think
>that's whats happening, but to be sure I'm going to run a real sniffer on
>it
>later today.
>
>With all that said. If anyone has a definite answer to my original question
>-
>like FW-1 is no different than any other system, when it comes to the PORT
>command, I'm all ears. Thanks.
>
>Sorry for the long winded-ness,
>Robert
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
