I have just had this sent by my VAR . on FTP issues using non standard port
numbers.
I haven't had time to try it yet, but...
Problem Description High port connections appear to be blocked FTP data
connection is being dropped The FTP server is not using the standard port
for its data connection
Solution: High port connections appear to be blocked () Usually the problem
is with FTP servers which send out the data connection from a random high
port. However, if the data connection comes from a fixed port other than 20,
you need to change the FTP code in '$FWDIR/lib/base.def', after the line
#define ftp_accept_port_clear
Example:
Suppose the address of your irregular FTP server is 222.222.222.222, and the
port from which it issues the data connection is 3333.
After the first line
"Entry_Type (r_ctype) = CONN_TCP, \"
add:
set sr10 3333, \
dst=222.222.222.222 or set sr10 20, \
Then modify the following line to be:
record <dst,sr10,src,sr1 ... \
If more than one server behaves in this way, add their address separated by
"or".
Problem Description High port connections appear to be blocked FTP data
connection is being dropped The FTP server is not using the standard port
for its data connection
Problem Description FTP data connection is being dropped by FireWall-1 High
port connections appear to be blocked
Allowing FTP data connections through the FireWall on random ports
Solution: Allowing FTP data connections through the FireWall on random ports
(10022.0.714865.2422686) The ftp_accept_port_clear macro, records the data
connection in the accepted connections table.
#define ftp_accept_port_clear \ ENTRY_TYPE(r_ctype) = CONN_TCP, \ Record
<dst,20,src,sr1,ip_p> in accepted, \ FTP_TRACK_DATA_CONN( 20, TCP_TIMEOUT ),
\ Record <dst,20,src,sr1,ip_p;0 @ TCP_TIMEOUT + 100> in\ conn_oneway
The ftp-data connection should come from port 20 on the destination of the
packet containing the port command. It should go to the source of the packet
containing the port command, to the port in the port command, which is
assumed to be sr1 (this assumption can be verified by looking where sr1 is
set earlier in the code). Therefore, it would be a safe bet to assume that
the format of the accepted table is <source IP, source port, destination IP,
destination port, IP protocol>. You need to somehow flag INSPECT that in
these connections the source port number is irrelevant, and the way you do
that is to change the port number from 20 to 0.
You now need to tell INSPECT that when the source port is zero in the
accepted table it should be ignored by INSPECT. This will be done in
'code.def', where the accepted table is parsed. This is the code in
'code.def':
eitherbound all@all { accept <conn> in accepted, RECORD_CONN(0); }
To add your own code, you need to add that if the second item in accepted is
zero, you also want to accept the packet and the resulting connection ? if
the rest of the data matches. This is done as follows:
eitherbound all@all { TABLE_NOT_EMPTY(accepted), accept <conn> in accepted,
RECORD_CONN(0); accept <src,0,dst,dport,ip_p> in accepted, RECORD_CONN(0); }
Regards
PD
> -----Original Message-----
> From: Dominik Miklaszewski [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, August 24, 2000 7:21 PM
> To: Kain, Becki (B.); [EMAIL PROTECTED]
> Subject: Re: [FW1] 421 ftp problem
>
> ***** This message originated from outside the AA *****
>
>
> I have exacly the same issue ..
> and i also have nscd switched off.
> Actually I'm getting this thing when I try to use FTP
> resource without authentication.
>
> are you using NAT? there is some other PhoneBoy FAQ
> that may give you a clue ..
> http://www.phoneboy.com/fw1/faq/0179.html
>
> Dominik
>
> --- "Kain, Becki (B.)" <[EMAIL PROTECTED]> wrote:
> >
> > this is 4.0, sp7 under solaris 2.6. ncsd is not
> > running. The question I
> > have is identical to the one in the faq on phoneboy,
> > except for this being
> > solaris 2.6. If I ftp through my security server, I
> > get :
> >
> > ftp shell.iag.net
> > Connected to shell.iag.net.
> > 220 aftpd: Check Point FireWall-1 Secure FTP server
> > running on firewall
> > Name (shell.iag.net:user): username
> > 331 aftpd (not authenticated): Enter server
> > password.
> > Password:
> > 421 Service not available, remote server has closed
> > connection
> > Login failed.
> > ftp>
> >
> >
> > But the solution given in the faq is disable ncsd,
> > which already is. Is
> > anyone else seeing this issue or have a solution?
> >
> > thanks
> >
> > becki kain
> >
>
>
> =====
> Your rifle is only a tool
> it is a hard heart which kills..
> <full metal jacket>
> --------------------------------
> Dominik M. Miklaszewski
> [EMAIL PROTECTED]
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
