Instead, you should know that there are TWO versions of FTP over SSL: EXPLICIT and IMPLICIT.
EXPLICIT usually occurs over port 21 (just like regular FTP) because the secure channel is set up AFTER the connection is made. (EXPLICIT FTP over SSL connections start out in insecure mode, then "build up" the secure channel later.)
IMPLICIT usually occurs over port 990 (defined by IANA) because the secure channel is set up AS the connection is made. (IMPLICIT FTP over SSL connections do not start out in insecure mode.)
Basically, think of a secure web server; port 80 is used for the insecure connection and a separate port, usually 443, is used for the secure connection. (Port 115 is someone's strange FTP over SSL port - it's not either of the FTP ports defined in the IANA standard.)
If you're having problems with a Checkpoint firewall, you could be fighting any of three problems:
- The Checkpoint is garbling the control channel SSL negotiation (doubtful because you said the problem was a "port" problem - this usually indicates problems with the data channel instead)
- The Checkpoint is not automatically performing NAT on your secure FTP session the way it would with a non-secure FTP session. (In order for firewalls to perform NAT, they need to read the contents of the control channel, which may be not possible until the FTP over SSL connection is terminated ON the firewall.)
- The Checkpoint is not automatically opening the control ports for your secure FTP session the way it would with a non-secure FTP session. (Same deal here; in order for firewalls to dynamically open ports, they need to read the contents of the control channel, which may be not possible until the FTP over SSL connection is terminated ON the firewall.)
Generally speaking, the fix for the last two items is to "teach" the FTP server about the NAT and then open a defined range of static data ports on the firewall.
- Jonathan Lampe
At 10:02 AM 12/11/2003, David Dellinger wrote:
Hi Pete,Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/
It's been a few years since I did anything with Checkpoint Firewall-1 on
Solaris, but in general, it sounds like you have an error in your
configuration.
FTP and SFTP use completely different ports. FTP uses port 21 and SFTP (the
SSL version of FTP) uses port 115.
I would check what rules you have setup for port 115.
Have you googled for that exact error message? Maybe someone knows what
that means in Checkpointese.
David
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Pete Simpson
Sent: Thursday, December 11, 2003 7:42 AM
To: [EMAIL PROTECTED]
Subject: [WS_FTP Forum] Firewall Log Error
Has anyone run across this error in their Firewall log and resolved the
issue?
I have a client attempting to connect to our WS_FTP Server using SSL. If
they connect using non-SSL, it works fine. But with they try SSL their
firewall reports the following message:
port command ended without a newline
The firewall then resets the connection. Their firewall is Checkpoint
Firewall-1 NG on Solaris.
Client is WS_FTP Pro 8.2
Server is WS_FTP Server 4.01
Thanks,
Pete
http://www.realmed.com/legal/confidential.htm
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/
