J. T. B.,
Thanks for responding(your the second one in two weeks.)
Yes, if I specifically tell the firewall to allow these connections
back, it works. But I want to run GEIS over the ports 21/20
and allow FW-1 to track the sessions as a 'normal' FTP. IOW,
I don't want to open these higher ports, just for the sake of
'fixing' GEIS.
If I only use 'normal' FTP, it works great. The firewall handles
the whole session. I have enabled the data port in the policy
properties.
After speaking with GEIS technical support, I seemed to have
come across something GEIS is aware of(and has other customers
complaining about the same thing.)
Their software ignores the port command and digs out the port#
the client requested from deeper within the packet(this is supposedly
how they know about the original port#.) GEIS said that this is the
'newer' standard, but I have not been able to find RFC info on this.
Any help on this 'standard' is welcome.
It also seems that GEIS software is not responding from the port#
defined for the DATA(20) port. They seem to arbitrarily pick a high port
to respond with. GEIS is looking into this.?? If their software responded
back with the right source port to the right destination port, I'm positive
the firewall rules set for 'normal' FTP will prevail.
btw, the other response I received, wanted to make
sure that snoop wasn't cutting off(via the display) the port command after
the 20th byte, so it appeared to be different from the normal. I don't think
that's whats happening, but to be sure I'm going to run a real sniffer on it
later today.
With all that said. If anyone has a definite answer to my original question -
like FW-1 is no different than any other system, when it comes to the PORT
command, I'm all ears. Thanks.
Sorry for the long winded-ness,
Robert
- -
Robert P. MacDonald, Network Engineer
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "J. T. B." <[EMAIL PROTECTED]> 03/01/00 10:45AM >>>
>
>Robert, have you told the firewall to disallow the TCP-Highports range? or
>conversely, have to told the firewall to ALLOW these ports for this rule?
>It looks to me as if it would work, but your firewall is doing what it's
>supposed to based on your rule set. I may be wrong not able to see your
>rule set, but check that out... Looks to me as if the firewall is dropping
>the packets because you haven't defined the rule quite right.
>
>
>>From: "Robert MacDonald" <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED]
>>Subject: How FW-1 calculates PORT numbers
>>Date: Tue, 29 Feb 2000 12:54:07 -0500
>>
>>This was posted to the Firewall-1 list last week, w/o luck.
>>
>>I'm in digest form, so if I could ask for any responses to be CC'd
>>to me directly, in addition to the list would be greatly appreciated.
>>
>>- - -
>>I'm having trouble understanding how FW-1 calculates port
>>numbers when a client FTP's through our firewall to an FTP
>>server in a DMZ. The setup is;
>>
>***Snip techno mumbo jumbo ;-)
>>
>>it too is dropped?? The following is the exported filtered logs and
>>are wrapped. I did cleanup addresses and names. The empty ""
>>are exactly from the log. The first one is of a 'normal' successful
>>FTP session. The second belongs to the two drops below.
>>
>>"21Feb2000" "14:20:15" "qfe0" "m.n.o.p" "accept" "ftp"
>>"ftpclient" "ftpsvr" "tcp" "7" "1084" "fw" "ftpsvr" "42353" "ftp"
>>"21Feb2000" "14:29:34" "qfe0" "m.n.o.p" "accept" "ftp"
>>"ftpclient" "ftpsvr" "tcp" "7" "1089" "fw" "ftpsvr" "44278" "ftp"
>>
>>And here is the two drops referenced above.
>>
>>"21Feb2000" "14:29:45" "qfe5" "m.n.o.p" "drop" "1090"
>>"ftpsvr" "ftpclient" "tcp" "34" "32862" "ftpsvr" "fw" "32862"
>>"44312"
>>"21Feb2000" "14:31:25" "qfe5" "m.n.o.p" "drop" "44312"
>>"ftpsvr" "fw" "tcp" "4" "32862" "" "" "" ""
>>
>>Any and all help is much appreicated. Thank you all for 'listening'!
>>Robert
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
