Hello,

we're running 3.0b-3083 and have a question regarding stateful inspection 
for ftp sessions initiated with the "sendport" command.

The sendport command is a command that suppresses the sending of the port 
command during active ftp sessions.  From the Solaris manpage for ftp:
     sendport
          Toggle the use of PORT commands.  By default, ftp  will
          attempt  to use a PORT command when establishing a con-
          nection for each data transfer.  The use of  PORT  com-
          mands  can prevent delays when performing multiple file
          transfers. If the PORT command fails, ftp will use  the
          default  data  port.  When  the use of PORT commands is
          disabled, no attempt will be made to use PORT  commands
          for  each data transfer.  This is useful when connected
          to certain FTP implementations that  ignore  PORT  com-
          mands but incorrectly indicate they have been accepted.

So, since the firewall never sees the port command, it can't statefully (at 
least in 3.0b-3083) the data path and the data connection gets dropped.  
Apparently there are some ftp clients out, out of my control that use this 
mechanism.  Hence my dilemna....

The nice thing is that the data path appears to always use the same port, 
namely the source port of the control connection.  So if x -> 21 then 20 -> 
x will be the data connection.  Or at least that seems to be the case.

Does anyone know if an upgrade to 4.[01] will solve this problem, and/or if 
anyone has done some creative hacking to the base.def to record and allow 
the 20->x connection back, somewhat akin to the modifications for the tis 
ftp-gw problem a few years back?  Something like a default return port, 
recorded from the x->21 connection that is then overwritten with the 
calculated port from the port command?

Thanks in advance,  -d
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to