I have a case where we have two Solaris 2.6 systems running FireWall-1
4.0 SP6 with both PORT and PASV modes enabled, however PASV does not
work to some sites but PORT mode works fine to every site. I also have
two Nokia boxes also on the Internet running FireWall-1 4.0 SP5 and PASV
works just fine. Also there is a single management server for the
Solaris and Nokia boxes with seperate policies for each. The FTP rules
and options are the same on both. Two sites I'm trying to get into are
ftp.isc.org and ftp.ipswitch.com.
The Solaris firewalls also have StoneBeat FullCluster and both ports 20
and 21 are excluded. Also Solaris is configured so TCP initial sequence
number generation is randomized (TCP_STRONG_ISS=2), so I don't know if
that has anything to do with it either. I've also modifed the base.def
file and tried the changes that were recently posted here for handling
\r\n terminations and extra characters with no luck. The FTP rule has
been tried with and without a resource (I'm not using a resource now).
I've tried authenticated FTP (non-transparent), non-authenticated
(transparent), FTP to the firewall cluster address, FTP to individual
firewall addresses (no clustering), etc...
Does anyone have any idea why PASV would not work to some sites with the
Solaris firewalls but it works fine with the Nokia boxes?
Ron
begin:vcard
n:Atkinson;Ron
tel;fax:313 235-0340
tel;work:313 235-3558
x-mozilla-html:TRUE
org:Detroit Edison;Information Protection
adr:;;2000 Second Ave;Detroit;Michigan;48226;US
version:2.1
email;internet:[EMAIL PROTECTED]
title:Software Engineer
fn:Ron Atkinson
end:vcard
S/MIME Cryptographic Signature
