I have the same problem on Solaris 2.6, FW 4.0.
The same files FTP just fine through a PIX firewall.
I received the following fix from my support which I have not tried yet and
I'm not sure if I'm going to try for security reaseons.
Here are the instructions for editing your base.def file. Edit the file
and look for the following.
// ports which are dangerous to connect to
#define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set
sr11 0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0,
set sr12 p,
set sr1 0, log bad_conn)
)
)
};
You change it so it reads:
// ports which are dangerous to connect to
#define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0,
set sr12 p,
set sr1 0, log bad_conn)
)
};
Here is the rest of the information I have regarding this problem.
High Port TCP Services and FTP
Q:
I have defined several consecutive tcp high ports for a TCP service I
need to allow through the
firewall. However, it seems like my FTP sessions no longer work. At
times, they appear to
"hang." After several attempts, FTP works again.
Any ideas as to what's wrong?
A:
FireWall-1 does not allow FTP through any port that it considers to be a
"service." Any service of
type TCP defined in FireWall-1 is placed into a table called
tcp_services. If an FTP connection
requests a port that is in the tcp_services table (i.e. it's the same
port as that of a defined TCP
service), the connection will be denied. This "feature" will generally
only be noticeable if you
define TCP ports in large groups. Most machines, when they load up,
start allocating "outbound"
connections at source port 1025 and higher.
One workaround would be to define the service as type Other with the
following in the Match
field:
tcp, dport >= x, dport <= y
where x and y are the endpoints to your port range. Services of type
other do not get added to the
tcp_services table.
Another workaround is to disable the check for services by
$FWDIR/lib/base.def (Thanks to Jon
Paine for providing the new 4.0 code). FireWall-1 4.0 has the following
in base.def :
// ports which are dangerous to connect to
#define NOTSERVER_TCP_PORT(p) {
(not
(
( p in tcp_services, set sr10 RCODE_TCP_SERV, set
sr11 0,
set sr12 p, set sr1 0, log bad_conn)
or
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0,
set sr12 p,
set sr1 0, log bad_conn)
)
)
};
You change it so it reads:
// ports which are dangerous to connect to
#define NOTSERVER_TCP_PORT(p) {
(not
( p < 1024, set sr10 RCODE_SMALL_PORT, set sr11 0,
set sr12 p,
set sr1 0, log bad_conn)
)
};
In FireWall-1 3.0 change the macro definition for NOTSERVER_TCP_PORT to:
#define NOTSERVER_TCP_PORT(p) ( p > 1024 )
(Note if you have a 4.x managment console managing a 3.x firewall, make
the above change in
$FWDIR/lib30/base.def as well)
Good luck, Telmo.
> -----Original Message-----
> From: Ivan Fox [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, July 26, 2000 10:00 AM
> To: Robert MacDonald; [EMAIL PROTECTED]
> Subject: Re: [FW1] ftp dies in the middle of a session! Please help.
>
>
> Hi Robert;
>
> Thanks for sharing.
>
>
> > Before you get started with this, our issue is still unsolved.
> > I'm told they will be testing a solution any day now....
>
> Is "they" referring to Check Point?
> >
> > Did you just upgrade your NT box by either patching NT
> > or more likely IIS?
>
> Applied NT's SP6a on IIS 4.0.
>
>
> > We have an extranet partner who had been transferring
> > files for two months. Then they switched to a very large
> > co-location site in Virgina(Digix), transfers dropped to about
> > 30% success rate.
>
> We tested it ourself. We experience the same problem. Before the outer
> firewall was re-booted, about 200 files were transferred. After the outer
> firewall was rebooted, the first trial, over 1200 files were transferred.
> After that, only a few hundred were transferred. We accessed the ftp
> server
> using their account from the Internet.
>
> The same customer has no problem for getting files from other directories.
> I was told that there were 3 or 4 1K files at a time.
>
> I am planning to apply the FW-1's SP6 instead of the latest one, SP7, to
> see
> if it helps solve the problem.
>
> Thanks,
>
> Ivan
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
