Help, please. :)
I am having a problem with an FTP package in use here for financial data
transactions, called "EasyAccess". I cannot get the FTP application to
work, and am fairly confident that it is the firewall that is killing it.
The application supports FTP PASV mode *only*.
The client's address is 1.1.1.1; the server's address is 2.2.2.2 (all right,
not really... "names and some personal details have been changed to protect
the innocent").
When testing, I looked at the firewall logs to see if anything was being
dropped there (I am logging 'Long' on all rules for these tests). The
firewall logs show (filtered on any destination matching the client or
server, and then on any source matching the client or server) :
action ; proto ; src ; dst ; service ; s_port ; len
accept ; tcp ; 1.1.1.1 ; 2.2.2.2 ; ftp ; 1108
The logs do not show any other traffic, accepted or dropped, that either
originates on either address or is destined for either address.
However, when I set up a packet sniffer on both sides of the firewall and
test, I can see that the firewall is in fact dropping traffic.
----- start : capture inside firewall -----
source ; dest ; layer ; len ; summary
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046->File Transfer (Control), [Syn],
S=12480541, A=0, W=8192
2.2.2.2 ; 1.1.1.1 ; TCP ; 64 ; File Transfer (Control)->1046, [Syn],
S=476488872, A=1248052, W=16384
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046-> File Transfer (Control), S=12480542,
A=476488873, W=8192
2.2.2.2 ; 1.1.1.1 ; FTP ; 119 ; 220 FTP server ready on system
1.1.1.1 ; 2.2.2.2 ; FTP ; 70 ; AUTH TLS-P
2.2.2.2 ; 1.1.1.1 ; FTP ; 113 ; 234 AUTH command accepted - proceed with
Negotiation.
1.1.1.1 ; 2.2.2.2 ; FTP ; 114 ; Data (total 56 bytes), (More Data)
2.2.2.2 ; 1.1.1.1 ; TCP ; 64 ; File Transfer (Control)->1046, [Rst],
S=47688989, A=0, W=0
2.2.2.2 ; 1.1.1.1 ; FTP ; 113 ; 234 AUTH command accepted - proceed with
Negotiation.
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046-> File Transfer (Control), [Rst],
S=12480554, A=476488989, W=0
----- stop : capture inside firewall -----
----- start : capture outside firewall -----
source ; dest ; layer ; len ; summary
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046->File Transfer (Control), [Syn],
S=12480541, A=0, W=8192
2.2.2.2 ; 1.1.1.1 ; TCP ; 64 ; File Transfer (Control)->1046, [Syn],
S=476488872, A=1248052, W=16384
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046-> File Transfer (Control), S=12480542,
A=476488873, W=0
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046-> File Transfer (Control), S=12480542,
A=476488873, W=8192
2.2.2.2 ; 1.1.1.1 ; FTP ; 119 ; 220 FTP server ready on system
1.1.1.1 ; 2.2.2.2 ; FTP ; 70 ; AUTH TLS-P
2.2.2.2 ; 1.1.1.1 ; FTP ; 113 ; 234 AUTH command accepted - proceed with
Negotiation.
2.2.2.2 ; 1.1.1.1 ; FTP ; 113 ; 234 AUTH command accepted - proceed with
Negotiation.
1.1.1.1 ; 2.2.2.2 ; TCP ; 64 ; 1046-> File Transfer (Control), [Rst],
S=12480554, A=476488989, W=0
----- stop : capture outside firewall -----
I see two major difference before and after the firewall.
First of all, the firewall is taking the max window size packet sent by the
client and converting it to two packets, a min window size and a max window
size. No problem.
Second, the Data packet sent by the client is not being transmitted by the
firewall. This seems to lead directly to the remaining differences; the
server never receives the Data packet so it resends its 'proceed with
Negotiation' packet, eventually gives up and resets the connection;
meanwhile the client never receives a reply to its Data packet and so
eventually gives up and also resets the connection.
I have tested with:
- FTP PASV mode both enabled and disabled
- Rule # 1 as "allow all traffic between the client and server on any port",
with FTP PASV mode both enabled and disabled
- "#define_ENFORCE_NL" commented out in $FWDIR/lib/base.def, with FTP PASV
mode both enabled and disabled
- "#define_ENFORCE_NL" commented out and "#define FTPPORT(match) (call
KFUNC_FTPPORT <(match)>)" enabled in $FWDIR/lib/base.def, with FTP PASV mode
both enabled and disabled
I am running FW-1 v4.1 SP2 on Sun Solaris 2.6.
I am at a loss here. Any help would be appreciated.
Greg S.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
