Try these solutions:
-----------------------------------------------------------------------
Edit the $FWDIR/lib/base.def file to allow FTP headers without "\r\n":
1. Stop FireWall-1 (fwstop)
2. Edit the /$FWDIR/lib/base.def
3. Mark out the following line:
#define FTP_ENFORCE_NL
to:
//#define FTP_ENFORCE_NL
4. Start FireWall-1 (fwstart)
5. Re-install the policy
Cause of this problem:
FireWall-1 expects each FTP header coming from the server to end with \r\n.
If a packet arrives without it, it will be dropped.
-----------------------------------------------------------------------
Edit the /$FWDIR/lib/base.def file to allow this behavior:
1. Stop the FireWall (fwstop)
2. Edit the $FWDIR/lib/base.def:
Change it from:
#define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)
//
// Use this if you do not want the FireWall module to insist on a newline at
the
// end of the PORT command:
// #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
To:
//#define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)
//
// Use this if you do not want the FireWall module to insist on a newline at
the
// end of the PORT command:
#define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
(The change is to comment the first line, and uncomment the last one)
3. Start the FireWall (fwstart)
4. Re-install the policy
Cause of this problem:
FireWall-1 expects each passive FTP port command to be followed with \r\n.
If the port command is followed by a different character, the packet will be
dropped. For example, the following port command will be dropped due to the
fact that it is followed by a '.' (dot):
"227 Entering Passive Mode (12,3,232,58,17,244).\r\n"
-------------------------------------------------------------
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Reinhard Posmyk
> Sent: Friday, 30 June 2000 7:49 p.m.
> To: [EMAIL PROTECTED]
> Subject: Re: [FW1] FTP problems after update to 4.1SP1
>
>
>
> Some information may help:
> - SYN-Defender is in passive mode, but no log entries are issued
> - login works after shortening the welcome message on the ftp server, but
> still there are problems with many internet ftp servers.
>
> Steve Smith wrote:
> >
> > In my case, passive ftp has always been on......
> >
> > Steve
> >
> > [EMAIL PROTECTED] wrote:
> >
> > > Turn on passive ftp can help also.
> > >
> > > Thomas
> > >
> > > -----Original Message-----
> > > From: Steve Smith [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, June 28, 2000 10:16 PM
> > > To: Reinhard Posmyk; [EMAIL PROTECTED]
> > > Subject: Re: [FW1] FTP problems after update to 4.1SP1
> > >
> > > I had (have) similar problems. The answer I got was to make sure that
> > > SYN-Defender
> > > (See system policy) is in PASSIVE mode or OFF (so much for
> the option!). My
> > > FTP's
> > > from the Internet to ANY statically mapped IP were failing.
> They would be
> > > able to
> > > log in, but nothing else - no ls command, no get, put, or
> anything else.
> > > Even after
> > > finding this out, I had to move my FTP server back into the
> production net
> > > (YUC!).
> > >
> > > Steve Smith
> > >
> > > Reinhard Posmyk wrote:
> > >
> > > > After updating to SP1+Hotfix there are problems to connect to a ftp
> > > > server (dmz) from the internal network using cvp. VPN-1
> runs on HP-UX
> > > 10.20.
> > > >
> > > > Transaction says:
> > > > 220 aftpd: Check Point FireWall-1 Secure FTP server running
> on firewall
> > > > Name (ftp:root): ftp
> > > > 331 aftpd (not authenticated): Enter server password, or
> for anonymous
> > > login
> > > > use your complete e-mail addr
> > > > Password:
> > > > 421 Service not available, remote server has closed connection
> > > > Login failed.
> > > >
>
>
> ==================================================================
> ==============
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
