The easiest way to handle this is to reject all IDENT traffic, not drop.
Dropping it will still leave mail and ftp servers waiting for a response,
but reject will basically let each know that it is not permitted. Lance
Spitzner has done a good write-up on this labeled "rulebase building", I
think.
I RARELY do rejects, and this is a small exception.
Thomas Poole
-----Original Message-----
From: Steve Smith [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 28, 2000 10:32 PM
To: Larry Wu; [EMAIL PROTECTED]
Subject: Re: [FW1] FTP through FW-1 with NAT
>
My support people have told me that older FTP servers using IDENT are a
problem for FW-1. I don't know what version this started with, but I am
seeing quite a bit of FTP problems that are similar happening for version
4.1 SP1.
Steve
> Larry Wu wrote:
>
> I am currently using FW-1 with NAT for all out going internet traffic. I'm
having problems accessing the FTP server on our ISP. From the log I see my
initial ftp connection passing through but the return message is dropped.
The service that the returned message is 'ident', a predefined service for
port 113. I then create a rule to allow this 'Ident' service to pass thru.
The log shows it is accepted but I still cannot access the FTP site. I have
no problems accessing other FTP sites. But most sites I do download from
allow anonymous sessions. Has anyone encountered this type of problem? Any
help will be much appreciated.
>
> Larry
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
