RE: [FW1] FTP PASV not working with 4.0 SP6 on Solaris

Wed, 02 Aug 2000 11:01:45 -0700 


Open the Security Policy and go to Manage / Properties

Then in the services tab:

If you have PASV checked on, turn it off, it will fix the problem. I know
its ass backwards, but SP4 and newer started doing it to my firewall as
well.  I don't know that checkpoint knows its now broken, but they should,
because I have brought it up a few times.

If its off, then turn it on, because that's the proper behavior.

-----Original Message-----
From: Ronald C. Atkinson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 02, 2000 1:34 PM
To: [EMAIL PROTECTED]
Subject: [FW1] FTP PASV not working with 4.0 SP6 on Solaris


I have a case where we have two Solaris 2.6 systems running FireWall-1
4.0 SP6 with both PORT and PASV modes enabled, however PASV does not
work to some sites but PORT mode works fine to every site.  I also have
two Nokia boxes also on the Internet running FireWall-1 4.0 SP5 and PASV
works just fine. Also there is a single management server for the
Solaris and Nokia boxes with seperate policies for each. The FTP rules
and options are the same on both.  Two sites I'm trying to get into are
ftp.isc.org and ftp.ipswitch.com.

The Solaris firewalls also have StoneBeat FullCluster and both ports 20
and 21 are excluded. Also Solaris is configured so TCP initial sequence
number generation is randomized (TCP_STRONG_ISS=2), so I don't know if
that has anything to do with it either.  I've also modifed the base.def
file and tried the changes that were recently posted here for handling
\r\n terminations and extra characters with no luck. The FTP rule has
been tried with and without a resource (I'm not using a resource now).
I've tried authenticated FTP (non-transparent), non-authenticated
(transparent), FTP to the firewall cluster address, FTP to individual
firewall addresses (no clustering), etc...

Does anyone have any idea why PASV would not work to some sites with the
Solaris firewalls but it works fine with the Nokia boxes?

Ron



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to