I agree. A tested example:
There's a server with two NIC's contacting an ftp server outside. The server
IP addresses are x.x.x.200 and x.x.x.201. The FW-1 rule allows ftp
connections to the outside server from both addresses. Standard command-line
ftp works fine. However, when ftp is used within a Cold Fusion script, we
get a reject with the message "Tried to open host port".
The ftp connection is always initiated from the interface with x.x.x.200
address. Standard ftp uses a PORT command x,x,x,200,0,21 , which is OK. Cold
Fusion, however, sends a PORT command x,x,x,201,0,21! Of course, FW-1
doesn't like this and puts an end to it.
In my mind, the FW-1 works as it is supposed to.
-tommi saxelin-
- networker -
- cge&y -
> -----Original Message-----
> From: Rohleder, Michael [mailto:[EMAIL PROTECTED]]
> Sent: 17. hein�kuuta 2000 9:31
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] ftp problem
>
>
>
> This seems not to be a problem with fw-1 configuration
>
> we noticed download Problems with ftp.oracle.com
> bigip-ftp.us.oracle.com
> Address: 206.204.55.43
> Aliases: ftp.oracle.com
> some time ago ....
>
> also with the Error Message "Tried to open other host port" in the
> rejected ftp-data packets ....
>
> Looking at these droped lines I�ve noticed that in fact ftp.oracle.com
> does really return another IP Address inside the FTP PORT Command ...
> (fw-1 consider this to be a Security Problem and therefore
> rejects these
> packets)
>
> the IP inside the Port command was most of the time 206.204.55.53
>
> so I tried to contact this IP directly and I succeed in
> downloading what
> I want.
>
> So my solution to this problem was to generate a STATIC NAT Entry in
> the rulebase for FTP to ftp.oracle.com
>
> It looks like:
> >> src dst port transl.src StaticNatdst
> port <<
> FWexternIP ftp.oracle.com ftp =Original S-ftp2.oracle.com
> =Original
>
> Please note, as we are using the ftp Security Server we need our
> External FW Interface as source (This may depend on your
> configuration)
> ftp.oracle.com are the IP�s of the oracle FTP Server (in fact this is
> currently only 206.204.55.43) ftp2.oracle.com is the
> objectName for the
> IP 206.204.55.53) With this NAT Rule active we don�t have any more
> problems with ftp Transfers from ftp.oracle.com
>
> Maybe this will help you
>
>
> Michael
>
> On 13 Jul, [EMAIL PROTECTED] wrote:
> >
> > I disabled SYN Defender. Problem still occurs.
> >
> > The timeouts for TCP Session and UDP are set to the
> defaults. After clicking on
> > the link to the ftp site the entries in the log show up in
> 10 - 20 seconds so I
> > dont think that is it.
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> >
> >
> >
> > "Scheidel, Greg" <[EMAIL PROTECTED]> on 07/13/2000 02:34:39 PM
> >
> > To: Joseph Vieira/DMR/CA@DMR-CANADA
> > cc:
> > Subject: RE: [FW1] ftp problem
> >
> >
> >
> > Hrm. RSH/REXEC and RPC won't impact this.
> >
> > Two other things you can check (and test each one
> independently) are:
> >
> > - Disable SYN Defender
> > - Check Policy/Properties/Security Policy/[TCP Session
> Timeout, UDP Virtual
> > Session Timeout]. Defaults are 3600 and 40, respectively.
> The problem
> > you're now describing could be caused by the TCP / UDP
> session timing out of
> > the state table before the FTP response comes in.
> >
> > Greg S.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 13, 2000 1:40 PM
> > To: Scheidel, Greg
> > Subject: RE: [FW1] ftp problem
> >
> >
> > Greg,
> >
> > That's what I have.
> >
> > FTP Port Data: Y
> > FTP PASV Data: N
> > RSH/REXEC: N
> > RPC: Y
> >
> > Could the other two be causing this problem?
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> >
> >
> > "Scheidel, Greg" <[EMAIL PROTECTED]> on 07/13/2000 12:33:23 PM
> >
> > To: Joseph Vieira/DMR/CA@DMR-CANADA
> > cc:
> > Subject: RE: [FW1] ftp problem
> >
> >
> >
> > Try these settings on your Firewall Policy/Properties/Services:
> >
> > Enable FTP Port Data Connections : Yes
> > Enable FTP PASV Data Connections : No
> >
> > Greg S.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 13, 2000 12:23 PM
> > To: Scheidel, Greg
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: [FW1] ftp problem
> >
> > OK,
> >
> > I removed anti-spoofing as suggested that it might be a
> problem. And I
> > turned
> > FTP PASV off. Still does not work but I have a different
> log entries.
> > First one is from client to server dropped by last rule
> using high port
> > numbers
> > 44067 and 53154 I tested it twice I'm assumming it is just
> random high port.
> > Second log entry is from ftp server to client port 4313 and
> 4321 again I'm
> > assumming it is just random. In the log entry for the
> second one it listed
> > the
> > s_port as ftp-data. I don't know if that means anything.
> >
> > Any suggestions?
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> >
> >
> >
> >
> > "Scheidel, Greg" <[EMAIL PROTECTED]> on 07/12/2000 10:33:17 PM
> >
> > To: Joseph Vieira/DMR/CA@DMR-CANADA,
> > [EMAIL PROTECTED]
> > cc:
> > Subject: RE: [FW1] ftp problem
> >
> >
> >
> > Firewall Policy/Properties/Services/"Enable FTP PASV Data
> Connections" -
> > Off. This setting does exactly the opposite of what you'd
> expect. "tried
> > to open other host port" is indicative of this problem.
> >
> > Greg S.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, July 12, 2000 10:22 AM
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] ftp problem
> >
> >
> > Greetings,
> >
> > I have FW-1 ver 4.0 and 4.1 on NT machine. I was on
> oralces tech web site
> > http://technet.oracle.com/ to down load some software. The
> web site takes
> > you
> > to a page which has a link to their ftp site. When I click
> on that link I
> > get a
> > read error. I checked the FW logs and it showed that a
> packet was rejected
> > by
> > rule 0 from the ftp server to client machine. In the info
> section of the
> > log it
> > stated the reason: tried to open other host port.
> >
> > Now I was downloading stuff from oracle for a month now
> with no problems
> > until
> > last week. Than this happened on my FW (ver 4.0), and I
> just setup a new FW
> > (ver 4.1) and I have the same problem. Anyone know what
> this problem is and
> > how
> > to fix it?
> >
> > Thank you,
> >
> > Joe
> >
> >
> > I'm using IE and Netscape to download from oracle on both
> Windows and Linux
> > machines.
> >
> >
> >
> >
> >
> ==============================================================
> ==============
> > ====
> > To unsubscribe from this mailing list, please see the
> instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==============================================================
> ==============
> > ====
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> ==============================================================
> ==================
> > To unsubscribe from this mailing list, please see the
> instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==============================================================
> ==================
>
>
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
