Some service providers/applications will only allow FTP PASV mode because
they consider it more secure if their server picks the random data port
instead of the client picking it.
Greg S.
-----Original Message-----
From: Ronald C. Atkinson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 02, 2000 2:41 PM
To: Jonah Kowall
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] FTP PASV not working with 4.0 SP6
on Solaris
<< File: Card for Ronald C. Atkinson >> Actually I tried
that and PASV clients do work, however it only works because the
clients typically default back to PORT mode if PASV fails.
We have an application
in-house that actually uses PASV and doesn't even support
PORT mode (beats me why
they wrote it this way), so disabling this won't make it
work. I'd rather have the
problem fixed correctly. Still havn't found out what they
did different between SP5
on Nokia from SP6 on Solaris though.
Ron
Jonah Kowall wrote:
> Open the Security Policy and go to Manage / Properties
>
> Then in the services tab:
>
> If you have PASV checked on, turn it off, it will fix the
problem. I know
> its ass backwards, but SP4 and newer started doing it to
my firewall as
> well. I don't know that checkpoint knows its now broken,
but they should,
> because I have brought it up a few times.
>
> If its off, then turn it on, because that's the proper
behavior.
>
> -----Original Message-----
> From: Ronald C. Atkinson [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 02, 2000 1:34 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] FTP PASV not working with 4.0 SP6 on
Solaris
>
> I have a case where we have two Solaris 2.6 systems
running FireWall-1
> 4.0 SP6 with both PORT and PASV modes enabled, however
PASV does not
> work to some sites but PORT mode works fine to every site.
I also have
> two Nokia boxes also on the Internet running FireWall-1
4.0 SP5 and PASV
> works just fine. Also there is a single management server
for the
> Solaris and Nokia boxes with seperate policies for each.
The FTP rules
> and options are the same on both. Two sites I'm trying to
get into are
> ftp.isc.org and ftp.ipswitch.com.
>
> The Solaris firewalls also have StoneBeat FullCluster and
both ports 20
> and 21 are excluded. Also Solaris is configured so TCP
initial sequence
> number generation is randomized (TCP_STRONG_ISS=2), so I
don't know if
> that has anything to do with it either. I've also modifed
the base.def
> file and tried the changes that were recently posted here
for handling
> \r\n terminations and extra characters with no luck. The
FTP rule has
> been tried with and without a resource (I'm not using a
resource now).
> I've tried authenticated FTP (non-transparent),
non-authenticated
> (transparent), FTP to the firewall cluster address, FTP to
individual
> firewall addresses (no clustering), etc...
>
> Does anyone have any idea why PASV would not work to some
sites with the
> Solaris firewalls but it works fine with the Nokia boxes?
>
> Ron
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the
instructions at
>
http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
