Title: FTP through FW-1 with NAT
Larry,
 
Refer to the ifo below, i got this info from ISS mailing list some time back, it might be of some help to u.
 
 FTP is a protocol that opens 2 TCP connections... The first is the
"Control" port. This will start with the "Random" source address and have a
 destination address of 21 as you would expect.

 When you connect to the remote server a FTP-DATA connection will be
 returned. The destination port will be "deterministic based on the Source
 port of your original control connection" This means the connection is
"SEMI
 RANDOM" making it hard to configure the firewall.

 The "FTP-DATA" connection can go in 2 directions depending on your
client...
 (IE tends to use Passive mode. Command line use Active mode read on...)

 There is an "active" connection which is the original FTP standard. Active
 means the destination FTP server will connect BACK to the client.

 The "Passive" FTP connection means the client will make a second
connection
 to the server.

 What does this mean for you?

 Depends on your firewall.

 Some firewalls know the behaviour of FTP and just make allowances for it.
EG
 Checkpoint FW1.

 Others will need you to make the Data connection handled as a separate
rule.

 Note If you read the MS Proxy release notes. (From technet or the
knowledge
 base) Not the CD version. There is mention of setting your Proxy server to
 only use "Passive mode". It is a registry hack to do so.

 I would suggest if your firewall needs the Data set up specifically then
you
 will need to set it to passive as allowing "outbound protcols" from that
 server is FAR less risky than allowing "inbound" for a large range of
 addresses.

----- Original Message -----
From: Larry Wu
Sent: Wednesday, June 28, 2000 8:12 PM
Subject: [FW1] FTP through FW-1 with NAT


I am currently using FW-1 with NAT for all out going internet traffic. I'm having problems accessing the FTP server on our ISP. From the log I see my initial ftp connection passing through but the return message is dropped. The service that the returned message is 'ident', a predefined service for port 113.  I then create a rule to allow this 'Ident' service to pass thru. The log shows it is accepted but I still cannot access the FTP site. I have no problems accessing other FTP sites. But most sites I do download from allow anonymous sessions. Has anyone encountered this type of problem? Any help will be much appreciated.

Larry

Reply via email to