Greetings, all,
I mailed the list the other day with part one of this problem, and after
examining packets, I've discovered my problem:
Summary: system behind iptables firewall attempts to ftp to a server on the
outside. The ftp process is internal to a program running on the internal
machine
The initial handshake succeeds, until the password is sent. The password
never gets there, the login is never completed, the connection eventually
times out.
The same ftp process works fine to a machine behind the firewall.
Manual ftp connections/logins/transfers from the same client to the same
external machine always work.
The automatic ftp process works through the old Raptor firewall (application
proxy firewall).
In the packet sniff, I noticed that the automated ftp process was sending
some of the responses in broken fashion. For example, in the manual
connection, the ftp client did this:
packet 1: File Transfer Protocol (FTP) Request: USER Request Arg:
nsds-e
packet 2: File Transfer Protocol (FTP) Request: PASS Request Arg:
(password sent here)
But the automated process is sending the packets like this:
packet 1: File Transfer Protocol (FTP) Request: U
packet 2: File Transfer Protocol (FTP) Request: SER Request Arg:
nsds-e
packet 3: File Transfer Protocol (FTP) Request: P
Packet 3 never gets an ACK from the external server. I have to assume that
this is because of the request level (authentication) and the fact that the
entire request and password aren't sent in one swoop. Here's what the second
part of the password request looks like
File Transfer Protocol (FTP) Request: ASS Request Arg: (password
sent here)
It works behind the firewall because there's nothing examining the packets.
The ftp server *behind* the firewall just accepts it in a broken fashion.
Since the iptables firewall never sends packet 3, it's never ACKed. The
automated ftp process attempts to resend it a number of times. The ftp
server outside the firewall then closes the connection after the default
timeout.
I'm pretty certain this is programming logic in the module doing the ftp,
but I wondered if there's a temporary workaround in iptables that will pass
that partial packet through?
Thanks in advance.
Joe Dougherty
Information Technology Systems Officer
NAVLANTMETOCFAC Jacksonville
(904) 542-2541 ext. 35 (comm)
942-2541 ext. 35 (DSN)
[EMAIL PROTECTED]
https://www.nlmof.navy.mil
"Indecision is the basis of flexibility."
