Daniel Crichton wrote: > > I did already have "fixup protocol ftp 21" on the PIX, although I don't > run any ftp servers. It seems that this is a default on a new box. I tried > disabling this, and now I can ftp to the hosting provider.
This might be the result of the "add another layer of toilet paper" fix that cisco (and everyone else for that matter) used to thwart the firewall ruleset bypasses via FTP that are otherwise possible. They now require that each and every packet in the command channel is terminated by CR/LF. If a command channel packet ISN'T terminated (e.g. split in two separate segments, or if some FTP client only terminates the line using LF), the pix will drop that packet, and FTP will break. If passive mode starts working when you disable the ftp fixup, I'd suspect something along these lines. But you shouldn't be allowing active FTP to your clients anyway -- bad security practice. /Mike -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
