We are running FW1 4.1 SP3 on Solaris. When initiating an ftp session to most sites, the connection hangs at the "connecting" prompt, then times out. The log shows FTP packets begin dropped by rule 0. I understand why this is happening. Nokia's Resolution #3317 says that if the firewall with SP2 or later receives any ACK packets that are not in the connections table, it will drop it to protect from an ACK Denial of Service attack. It goes on to explain how to modify the fwui_head.def file to not log these dropped connections.
Fine. But that still leaves me with no useable ftp. (I should say that some ftp sites work, but most do not.) Does anyone know how to fix this, other than modifying the fwui_head.def file to allow ALL TCP non-syn packets to go through, and thereby opening me up to ACK Denial of Service attacks?
Thanks.
Scott
- RE: FTP ACK packets dropped SKirn
- RE: FTP ACK packets dropped Smith, Steve
