On Mon, Oct 16, 2000 at 08:00:18AM -0400, Rick Murphy wrote:
> The ability to set the outbound data port to 20 (or whatever) was
> added because as far as the customer was concerned, Gauntlet's FTP
> proxy was broken - you could FTP through the Firewall-1 system from
> outside the firewall OK; put the firewall in place and FTP
> failed. Checkpoint support said it was a Gauntlet bug, so we
> eventually gave up and added the option. We had similar problems
> with Checkpoint requiring all of the "PORT" command - including the
> line terminator - be in one TCP packet.
For the latter problem, the admin of a network we worked with was able
to convince his checkpoint engineer that it was their fault. Here's
the relevant part of what he forwarded to me:
$ The following changes in file ..\lib\base.def are :
$
$ //#define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>) (...put
$ this line on remark ..)
$ //
$ // Use this if you do not want the FW-1 module to insist on a newline
$ at
$ the
$ // end of the PORT command:
$ #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>) (..open this
$ line)
Although this was before the whole PORT mess on BUGTRAQ, so it's
likely that the relevant lines have changed.
- Morty
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
