This seems not to be a problem with fw-1 configuration
we noticed download Problems with ftp.oracle.com
bigip-ftp.us.oracle.com
Address: 206.204.55.43
Aliases: ftp.oracle.com
some time ago ....
also with the Error Message "Tried to open other host port" in the
rejected ftp-data packets ....
Looking at these droped lines I�ve noticed that in fact ftp.oracle.com
does really return another IP Address inside the FTP PORT Command ...
(fw-1 consider this to be a Security Problem and therefore rejects these
packets)
the IP inside the Port command was most of the time 206.204.55.53
so I tried to contact this IP directly and I succeed in downloading what
I want.
So my solution to this problem was to generate a STATIC NAT Entry in
the rulebase for FTP to ftp.oracle.com
It looks like:
>> src dst port transl.src StaticNatdst port <<
FWexternIP ftp.oracle.com ftp =Original S-ftp2.oracle.com =Original
Please note, as we are using the ftp Security Server we need our
External FW Interface as source (This may depend on your configuration)
ftp.oracle.com are the IP�s of the oracle FTP Server (in fact this is
currently only 206.204.55.43) ftp2.oracle.com is the objectName for the
IP 206.204.55.53) With this NAT Rule active we don�t have any more
problems with ftp Transfers from ftp.oracle.com
Maybe this will help you
Michael
On 13 Jul, [EMAIL PROTECTED] wrote:
>
> I disabled SYN Defender. Problem still occurs.
>
> The timeouts for TCP Session and UDP are set to the defaults. After clicking on
> the link to the ftp site the entries in the log show up in 10 - 20 seconds so I
> dont think that is it.
>
> Thanks,
>
> Joe
>
>
>
>
>
>
> "Scheidel, Greg" <[EMAIL PROTECTED]> on 07/13/2000 02:34:39 PM
>
> To: Joseph Vieira/DMR/CA@DMR-CANADA
> cc:
> Subject: RE: [FW1] ftp problem
>
>
>
> Hrm. RSH/REXEC and RPC won't impact this.
>
> Two other things you can check (and test each one independently) are:
>
> - Disable SYN Defender
> - Check Policy/Properties/Security Policy/[TCP Session Timeout, UDP Virtual
> Session Timeout]. Defaults are 3600 and 40, respectively. The problem
> you're now describing could be caused by the TCP / UDP session timing out of
> the state table before the FTP response comes in.
>
> Greg S.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 13, 2000 1:40 PM
> To: Scheidel, Greg
> Subject: RE: [FW1] ftp problem
>
>
> Greg,
>
> That's what I have.
>
> FTP Port Data: Y
> FTP PASV Data: N
> RSH/REXEC: N
> RPC: Y
>
> Could the other two be causing this problem?
>
> Thanks,
>
> Joe
>
>
>
>
>
> "Scheidel, Greg" <[EMAIL PROTECTED]> on 07/13/2000 12:33:23 PM
>
> To: Joseph Vieira/DMR/CA@DMR-CANADA
> cc:
> Subject: RE: [FW1] ftp problem
>
>
>
> Try these settings on your Firewall Policy/Properties/Services:
>
> Enable FTP Port Data Connections : Yes
> Enable FTP PASV Data Connections : No
>
> Greg S.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 13, 2000 12:23 PM
> To: Scheidel, Greg
> Cc: [EMAIL PROTECTED]
> Subject: RE: [FW1] ftp problem
>
> OK,
>
> I removed anti-spoofing as suggested that it might be a problem. And I
> turned
> FTP PASV off. Still does not work but I have a different log entries.
> First one is from client to server dropped by last rule using high port
> numbers
> 44067 and 53154 I tested it twice I'm assumming it is just random high port.
> Second log entry is from ftp server to client port 4313 and 4321 again I'm
> assumming it is just random. In the log entry for the second one it listed
> the
> s_port as ftp-data. I don't know if that means anything.
>
> Any suggestions?
>
> Thanks,
>
> Joe
>
>
>
>
>
>
>
> "Scheidel, Greg" <[EMAIL PROTECTED]> on 07/12/2000 10:33:17 PM
>
> To: Joseph Vieira/DMR/CA@DMR-CANADA,
> [EMAIL PROTECTED]
> cc:
> Subject: RE: [FW1] ftp problem
>
>
>
> Firewall Policy/Properties/Services/"Enable FTP PASV Data Connections" -
> Off. This setting does exactly the opposite of what you'd expect. "tried
> to open other host port" is indicative of this problem.
>
> Greg S.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 12, 2000 10:22 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] ftp problem
>
>
> Greetings,
>
> I have FW-1 ver 4.0 and 4.1 on NT machine. I was on oralces tech web site
> http://technet.oracle.com/ to down load some software. The web site takes
> you
> to a page which has a link to their ftp site. When I click on that link I
> get a
> read error. I checked the FW logs and it showed that a packet was rejected
> by
> rule 0 from the ftp server to client machine. In the info section of the
> log it
> stated the reason: tried to open other host port.
>
> Now I was downloading stuff from oracle for a month now with no problems
> until
> last week. Than this happened on my FW (ver 4.0), and I just setup a new FW
> (ver 4.1) and I have the same problem. Anyone know what this problem is and
> how
> to fix it?
>
> Thank you,
>
> Joe
>
>
> I'm using IE and Netscape to download from oracle on both Windows and Linux
> machines.
>
>
>
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
>
>
>
>
>
>
>
>
>
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
