Some service providers/applications will only allow FTP PASV mode because
they consider it more secure if their server picks the random data port
instead of the client picking it.
Greg S.
-Original Message-
From: Ronald C. Atkinson [mailto:[EMAIL
Help, please. :)
I am having a problem with an FTP package in use here for financial data
transactions, called "EasyAccess". I cannot get the FTP application to
work, and am fairly confident that it is the firewall that is killing it.
The application supports FTP PASV mode *only*.
The
Yes, this problem sounds extremely familiar. We ran into a similar issue
with TrendMicro's VirusWall (v2 thru 3.5 tested) product working with FW-1
v4.0 SP5. Our issue was based around the security server connection being
maintained while the VirusWall box was under heavy load. Things
We had performance problems on a Sun box running two QFE cards until we
upgraded to two processors and 1GB RAM. Our hardware guy said this was a
known issue with the CPU getting pinned trying to handle the requests from
the QFE cards. Sorry I don't have more details.
Greg S.
-Original
To my knowledge, Trend Micro's InterScan VirusWall is the only CVP compliant
virus scanner that runs on Solaris. But check out CheckPoint's web site
w/OPSEC partners, maybe one is listed there.
Greg S.
-Original Message-
From: Samuel Wuethrich [mailto:[EMAIL PROTECTED]]
Sent:
Message-
From: Craig Whytock [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 11, 2000 3:36 PM
To: Scheidel, Greg; [EMAIL PROTECTED]
Subject:Re: [FW1] Does anyone know how to block Napster?
Hi,
There is another problem which is the existence of a separate opennap
napster
network
t of creating a bogus secondary / cache on my server (my
testing didn't show any), please let me know.
Greg S.
-Original Message-
From: amanda [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 8:54 AM
To: Scheidel, Greg
Cc: [EMAIL PROTECTED]
Subject:RE: [FW1] Does
I saw a problem like this once before. It had to do with the fact that WINS
was running on the local network. People would enter "website" instead of
"website.mydomain". Since WINS by default on a Windows system resolves
before DNS, it would get the IP address but then display that IP address
, July 12, 2000 8:54 AM
To: Scheidel, Greg
Cc: [EMAIL PROTECTED]
Subject:RE: [FW1] Does anyone know how to block Napster?
What are the AOL services that you are trying to block?
If you just want to block all access to login.oscar.aol.com then a simple IP
filter will do. Try something
I dont
believe that FW-1 spools your e-mail except when you are using an SMTP
Resource; it simply checks the SMTP packets against its rule base as it would
any other packet.
Greg S.
-Original
Message-
From: Rohit Mungur
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12,
Firewall Policy/Properties/Services/"Enable FTP PASV Data Connections" -
Off. This setting does exactly the opposite of what you'd expect. "tried
to open other host port" is indicative of this problem.
Greg S.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Can your OS support it? Generally yes, but specifics depend on your OS.
Looks like you might be talking about Solaris, in which case yes, but you
probably already knew that.
Can FW-1 support it? Yes, but you have to be careful about defining your
anti-spoofing. Create a group containing all
I have attempted to implement putting server.napster.com in our DNS, but
have not been successful. I have attempted adding it directly to the
named.root file, our standard hosts file, and a separate "hint" cache file
with no luck. The closest I've come is creating a separate
zone-of-authority
Important : To avoid potential problems, make sure you stop the firewall
before deleting the manage.lock file.
So from a console execute "fwstop;rm $FWDIR/manage.lock;fwstart".
Greg S.
-Original Message-
From: THELLIER, Francis (Kedros) [mailto:[EMAIL PROTECTED]]
Sent: Monday,
Check your firewall policy properties, specifically Security Policy/TCP
Session Timeout. Default is 3600 seconds.
From docs:
"The time period after which a TCP session will be considered to have timed
out." (from its state table)
"Firewall-1 inspects each and every TCP packet against the
Indeed. Napster by default tries , , , 6699, , 8875,
but can use any port number.
A pretty good article is at
http://www.securityportal.com/closet/closet2419.html.
Greg S.
-Original Message-
From: Jack Coates [mailto:[EMAIL PROTECTED]]
Sent: Thursday,
Firewall-1 will not recognize the sub-interface at all. To prove this out,
create a dummy firewall object (purely to avoid accidentally making changes
to your production object) and use 'Get Interfaces'. It will display only
the physical interfaces.
Making manual changes to this list
it
is?
-
Jason Gross
Network Communications Services
Platform Engineering Operations Services
United Space Alliance
[EMAIL PROTECTED]
V: (321) 799-6601 F: (321) 799-5970
-Original Message-
From: Scheidel, Greg [mailto:[EMAIL
Does anybody have any references (soft or hard copy, magazine articles, cert
advisories, bug lists, whatever) that cover the various vulnerabilities of
these applications?
Barring that, does anybody have any opinions on these applications that they
could share?
Greg S.
I am having the same type of problem, running FW-1 v4.0 SP5. I have tested
with the SMTP Resource not referencing our CVP Server at all, and configured
to allow all traffic, and still see the same results. My issue is
definitely the FW-1, not our content scanner. I've got an open ticket with
S.
-Original Message-
From: John Stevenson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 9:02 AM
To: Scheidel, Greg; [EMAIL PROTECTED]
Subject:RE: [FW1] reject smtp msgs
A few thoughts/questions:
1) are you running any sort of HA? sontebeat? rainwall? etc...
www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3
multippp.htm
www.cisco.com/warp/customer/cc/cisco/mkt/core/adap/multi/tech/althb_wp.htm
www.3com.com/solutions/enterprise/wansolutions/wanpapers
http://207.235.6.38/
www.atmforum.com
www.larsom.com/products
- For all testing, test with an application that you can control and not
have any traffic except your tests.
- TCP Timeout default setting is 3600 secs. Try setting to that and retest;
see if it makes a difference. If it does, then it points to TCP Timeout
setting.
- Make sure you've turned
I can't speak to MimeSweeper, as I haven't gotten to that one in my own
evals, but just in case you're looking at Trend Micro's InterScan VirusWall
product...
DON'T USE IT.
Their tech support is abominable. Even before the ILUVYOU virus, I would
spend from 1 to 3 hours on hold, and then up to
24 matches
Mail list logo
