[EMAIL PROTECTED] wrote:
>
> Since I moved from 40. sp5 to 4.1 sp2 people cannot download from some
> ftp-sites.
> one of them iftp.compaq.com.
>
> The fw rejects the packet comming back from compaq with rule 0.
> Saying: unknown established TCP packet.
>
> Other FTP sites are OK
>
> Any suggesstions?
>
> Hans Hamakers
> ABB Benelux
> IT Networkservices
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
UNcomment
#define ALLOW_NON_SYN_RULEBASE_MATCH
in $FWDIR/conf/fwui_head.def
and
comment
#define FTP_ENFORCE_NL
in $FWDIR/conf/base.def
The first one being commented out by default causes a lot of
unestablished tcp-connection errror (dropped by rule 0), the second
causes connection lost to ftp servers with no NewLine endings in their
data-packets.
Those two "security enhancements" in 4.1SP2 cause a lot of traffic loss.
I have the impression 4.1SP2 was a panic reaction by Checkpoint, I think
nobody can use the default settings...
--
Guido Van De Velde
LUDIT - KULeuvenNet
S/MIME Cryptographic Signature
