Hi everyone,
We're currently implementing a security configuration at one of our customers.
The design looks like this:
Router ---- Firewall-1 ---- DMZ ---- Linux Firewall ---- Internal network
The Linux Firewall hides the Internal Network behind a private address (his DMZ
interface address). Firewall-1 in his turn only accepts packets from the Linux
firewall to go outside. Hence, Firewall-1 performs static NAT on the private
address of the Linux Firewall. Now here's my problem: clients on the inside
network are unable to set up a valid FTP connection to the outside. In the
Firewall-1 log there are the following entry's:
source dest s_port track service comment
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 60104 allowed ftp
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 60102 reject ftp
reason: tried to open other port on host
When I try to establish a connection via the DOS-prompt, I can login to the
server, but when then try to do a dir or ls, the connection breaks. In my
opinion the following happens: Establishing the ftp control connection (port 21)
works fine: the Linux Firewall hides the address behind his address and opens a
port for the connection (e.g. 60104). From the moment I try to open the ftp data
connection (port 20), the linux firewall sees this as a new connection and
assigns another port to it (e.g. 60102). Am not sure about this. Does, in a
normal client-server ftp connection, the client use the same port for both the
control and the data connection? More specific, does the client once the control
connection is finished, open a data connection using the same port (e.g. 60104).
Am I missing some big thing here? Did anyone have the same problem? Any help
would be greatly appreciated.
Thanks in advance,
TiM De Boeck
System Engineer (CCSA, CCSE)
Econocom Services
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
