Re: [FW-1] Block "FTP bounce" with smart defence in "monitor only"

Thu, 18 Oct 2007 07:54:45 -0700 

hi,

The $FWDIR/lib/ftp.def file contains the following instructions:

// If you do not want the FW-1 module to insist on a newline at the end of the
// PORT command, change the following '1' to '0' and re-install the policy

#define FTPPORT_NL 1

so please do (taken from CP-support web):
* Issue cpstop from the command line, stopping all services on Smart Center. 
   * Edit the $FWDIR/lib/ftp.def file and change FTPPORT_NL 1 to FTPPORT_NL 0
   * Issue cpstart from the command line, starting all services.
   * Reinstall the Security Policy.

br
reinhard

At 16:34 18.10.2007, you wrote:

Hi,
Cluster HA, Cp-NGx R62 on splat:
we have an active ftp session that try to transfer lot of smal file
from/to a client to a server FTP (up/download)

The Client gives us a "communication error" and
CP logs this:


Product:                       SmartDefense
Interface:                     eth1
Origin:                         a.b.c.d
Type:                           Log
Action:                         Reject
Protocol:                       tcp
Service:                       ftp-basic (21)
Source:                         d.e.f.g
Destination:                 StaticNatIP02 (h.i.l.m)
Source Port:                 4656
Attack Name:               FTP Bounce
Attack Information:       Port/227 command missing a newline character
SmartDefense Profile:                 No Protection

1st we are not using a "ftp-bounce attack"
2nd Smartdefence is in Monitor only (smartdashboard).

How can I disable Smartdefence totally on the FTP protocol?

Thanks

Corrado

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


--
Reinhard Stich          [EMAIL PROTECTED]
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to