Hello,
we're running 3.0b-3083 and have a question regarding stateful inspection
for ftp sessions initiated with the "sendport" command.
The sendport command is a command that suppresses the sending of the port
command during active ftp sessions. From the Solaris manpage for ftp:
sendport
Toggle the use of PORT commands. By default, ftp will
attempt to use a PORT command when establishing a con-
nection for each data transfer. The use of PORT com-
mands can prevent delays when performing multiple file
transfers. If the PORT command fails, ftp will use the
default data port. When the use of PORT commands is
disabled, no attempt will be made to use PORT commands
for each data transfer. This is useful when connected
to certain FTP implementations that ignore PORT com-
mands but incorrectly indicate they have been accepted.
So, since the firewall never sees the port command, it can't statefully (at
least in 3.0b-3083) the data path and the data connection gets dropped.
Apparently there are some ftp clients out, out of my control that use this
mechanism. Hence my dilemna....
The nice thing is that the data path appears to always use the same port,
namely the source port of the control connection. So if x -> 21 then 20 ->
x will be the data connection. Or at least that seems to be the case.
Does anyone know if an upgrade to 4.[01] will solve this problem, and/or if
anyone has done some creative hacking to the base.def to record and allow
the 20->x connection back, somewhat akin to the modifications for the tis
ftp-gw problem a few years back? Something like a default return port,
recorded from the x->21 connection that is then overwritten with the
calculated port from the port command?
Thanks in advance, -d
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
