Dear all, I found this problem is somehow related to the personal firewall on WinXP as well!
I have a PC running WinXP SP2 and failed to ftp to 'ftp.ncbi.gov.hk'. It worked after I turned off the personal firewall. But when I connect the PC 'outside' the Check Point firewall, I can connect no matter the personal firewall is turned on or not. Also, I would like to know if disabling 'FTP_ENFORCE_NL' (and turn on 'FTP_CHECK_PACKET') under base.def will solve my ftp problem? Will it be more secure than changing protocol from 'ftp' to 'ftp_basic'? Any ideas? Regards, Toby Jean-Paul Baillon wrote:
It all depends on what type of FTP server you are using From CheckPoint's FW-1 Datasheet FTP_BASIC Protocol Type FTP_BASIC is a new protocol type. This protocol type enforces a reduced set of the FTP security checks done by the regular FTP protocol type. Using FTP_BASIC eliminates known connectivity problems with FTP implementations that are not fully RFC compliant. The following checks are NOT enforced by FTP_BASIC, and are enforced by the FTP protocol type: * That every packet is terminated with a newline character, so that the PORT command is not split across packets. This protects against the FTP Bounce attack - this is covered in SmartDefense * Data connections to or from well-known ports are not allowed, to prevent the FTP data connection being used to access some other service. * Bidirectional traffic on the data connection is not allowed, as it can be used improperly -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Toby Chan [ITS] Sent: Wednesday, 18 May 2005 12:32 PM To: [email protected] Subject: [FW-1] Error ftp to ftp.ncbi.nih.gov Dear all, I'm using R55 on SPLAT and we found problem ftp to 'ftp.ncbi.nih.gov'. It seems I have established connection but suddenly disconnected when printing out the welcome message. It's strange that only certain types of ftp clients encounter such problem. I.e: WS_FTP - failed 'ftp' command on WinXP - failed 'ftp' command on Solaris - failed 'ftp' command on Linux - success! All the clients I tested work normally when connecting to other ftp servers. From SmartView Tracker I saw errors msg: 'message_info: Port command ended without a new line'. Searching the knowledge base we found: Solution ID: sk26049 Solution Title: Error: 'port command ended without a new line' Visit solution: https://secureknowledge.us.checkpoint.com/SecureKnowledge/viewSolutionDo cument.do?id=sk26049 For Disclaimer of Warranty and Copyright info: http://www.checkpoint.com/copyright.html It suggest changing the protocol from 'FTP' to 'FTP_BASIC'. Any suggestions? Regards, Toby ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- =========================== Toby Chan - TSS/ITS/POLYU E-mail: [EMAIL PROTECTED] Tel : 3400-2503 Fax : 2764-2647 =========================== ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
