This is the solution for v3.
Anybody know the fix for v4 (looked at the base.def and code.def files and
they are significantly different)
According to the RFC specification (RFC765) for the FTP protocol, the data
connection port is defined as 1 less than the control connection port (ie
control port = 21 and data port = 20. However, certain FTP servers or
proxies assign their data connections port from a random high port.
Firewall-1 ftp client requires a back data port =20
To deal with such situations, base.def and code.def (both in the $FWDIR/lib
directories) need to edited.
FIRST
There is a macro called ftp_accept_port_clear in base.def that has the data
connection port hard coded as 20. Changing the port number from 20 to 0
causes FW-1 to treat the port number in these connections as irrelevant.
change from :
Record <dst,20,src,sr1,ip_p> in accepted
to:
Record <dst,0,src,src1,ip_p> in accepted
SECOND
FW-1 needs to be instructed that when the data connection port is 0 in the
accepted macro it should ignore it. This will be done in code.def, where the
accepted table is parsed. This is the code in code.def :
eitherbound all@all { accept <conn> in accepted, RECORD_CONN(0); }
To add our own code, we need to add that if the second item in accepted is
0, we also want to accept the packet and the resulting connection - if the
rest of the data matches. This is done as follows:
eitherbound all@all {
TABLE_NOT_EMPTY(accepted),
accept <conn> in accepted, RECORD_CONN(0);
accept <src,0,dst,dport,ip_p> in accepted, RECORD_CONN(0);
}
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
