RE: [FW1] FTP problems to some sites

Kerry Baker Tue, 01 Aug 2000 17:48:11 -0700

Try these solutions:
-----------------------------------------------------------------------
Edit the $FWDIR/lib/base.def file to allow FTP headers without "\r\n":

1. Stop FireWall-1 (fwstop)
2. Edit the /$FWDIR/lib/base.def
3. Mark out the following line:

#define FTP_ENFORCE_NL
to:
//#define FTP_ENFORCE_NL

4. Start FireWall-1 (fwstart)
5. Re-install the policy

Cause of this problem:
FireWall-1 expects each FTP header coming from the server to end with \r\n.
If a packet arrives without it, it will be dropped.
-----------------------------------------------------------------------
Edit the /$FWDIR/lib/base.def file to allow this behavior:

1. Stop the FireWall (fwstop)
2. Edit the $FWDIR/lib/base.def:
Change it from:

#define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)

//
// Use this if you do not want the FireWall module to insist on a newline at
the
// end of the PORT command:
// #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

To:

//#define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)

//
// Use this if you do not want the FireWall module to insist on a newline at
the
// end of the PORT command:
#define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

(The change is to comment the first line, and uncomment the last one)

3. Start the FireWall (fwstart)
4. Re-install the policy

Cause of this problem:
FireWall-1 expects each passive FTP port command to be followed with \r\n.
If the port command is followed by a different character, the packet will be
dropped. For example, the following port command will be dropped due to the
fact that it is followed by a '.' (dot):

"227 Entering Passive Mode (12,3,232,58,17,244).\r\n"
-------------------------------------------------------------

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Bob
> Tin2
> Sent: Wednesday, 2 August 2000 1:37 a.m.
> To: [EMAIL PROTECTED]
> Subject: [FW1] FTP problems to some sites
>
>
>
> Hello everybody,
>
>
> I am running CheckPoint2000 with hotfix (build 41603) running on
> NT4.0 sp6a.
>
> My internal address is 10.x.x.x and am using NAT to the internet.
>
> I am having problems while running ftp to certain sites
(ftp.compaq.com, ftp.usr.com etc).  Yet, the same rule will allow ftp to
other sites (ftp.microsoft.com, ftp.novell.com)

The Checkpoint log displays the connection as successful, but it's not.



Any help will be appreciated.



Regards

Bob




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] FTP problems to some sites

Reply via email to
