[FW1] Please Help on ftp problem through FW1

Mon, 06 Aug 2001 20:32:18 -0700 


I have a problem with ftp's the my fw.  The standard ftp doesn't work.  The
ftp control connection gets set up but the ftp data connection does not.  I
am at build 41814.  I have seen phoneboy's site about trouble ftping that
seems to relate to may problem.

The TIS FTP proxy (used by both Gauntlet and the TIS Toolkit) send a port command in 
one packet and the "newline" character in another. By default,
FireWall-1 assumes the PORT command and the newline will appear in the same packet. To 
enable checking for this, uncomment out the following #define
statement in $FWDIR/lib/base.def on the management console:
//    Use this if you do not want the FW-1 module to insist on a newline at the
// end of the PORT command:
//#define FTPPORT(match)        (call KFUNC_FTPPORT <(match), [110, b]>)

A few lines above it should be another FTPPORT(match) definition that you comment out. 
 Re-install the rulebase.
If this trick does not work, it is likely because the FTP Data connection is not 
originating from port 20. FireWall-1 does not, by default, accept FTP
 Data connections that come from ports other than 20 unless it is a PASV connection. 
If you use the TIS Toolkit, check the Patches page on
www.fwtk.org. Alternatively, you can modify FireWall-1 to accept FTP on Different 
Ports.

Some other sites fail as well. This is because they do not send out a proper newline 
in their header and some versions of FireWall-1 check for this.
FireWall-1 4.0 SP7, 4.0 SP5 build 13 on Nokia, and 4.1 SP2 all have this behaviour. To 
resolve this comment out the following line in
$FWDIR/lib/base.def and reinstall the policy:

#define FTP_ENFORCE_NL


I have made the above changes but it didn't fix my problem.  I have a couple of 
questions about the above that I am hoping someone can answer.

1.  The changes to base.def  -- should they be made to the management station, fw 
module or both??
2.  Do these changes require a fwstop of either the management station, fw module or 
both??

Also, does anyone have any other ideas?

Thanks,
Donna



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to