Re: [FW-1] R54 and FTP

[Beck, Aaron [Permanent Link]]

If the request for the data is sending out a syn packet towards the server, 
after the command channel (tcp port 21) has been established, you're looking at 
passive FTP.

Here's a -good- reference that someone has drawn up on the topic... i've used 
it several times in explaining the differences between passive and active FTP:

http://slacksite.com/other/ftp.html

Things to check for:
Make sure that your FTP service is defined with the FTP protocol
In smart defense, most of the options shouldn't affect a generic FTP session... 
at least, they haven't in my experience.

You might want to define a known FTP Server as an object, and create two rules 
that catches -anything- to it and anything from it just after your FTP rule - 
to see whats going on in Checkpoint land.



-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS DOT U S.CHECKPOINT.COM] On Behalf Of Davis, Nathaniel
Sent: Wednesday, April 28, 2004 11:36 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] R54 and FTP

No, it's not passive ftp.  It's normal ftp.  I have the allow dynamic ports
for defined services enabled.  I'm still having the problem.


Nathaniel Davis
Senior Unix Administrator
Subaru of America
ndavis AT subaru DOT com
856-488-3150

-----Original Message-----
From: albnix [mailto:a.nizzero AT TISCALI DOT IT]
Sent: Tuesday, April 27, 2004 4:20 PM
To: FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com
Subject: Re: [FW-1] R54 and FTP

passive ftp ?
Reinhard Stich wrote:

> hi,
>
> what error do you see in your log-viewer?
>
> cheers
> reinhard
>
> At 18:54 26.04.2004, you wrote:
>
>> Hi all.
>>
>> My questions is this.  I have Checkpoint R54 installed on a IP330.
>> My rules
>> allow incoming and outgoing ftp's.  When I am using a web browser and
>> I try to download a file from a remote site.  The ftp request goes
>> out on a port other than 21.  It goes out on higher ports.  Thus,
>> Checkpoint drops the request, because it isn't in the rules.  How can
>> I get checkpoint to allow these connections, without having to add
>> different ports from everywhere.  I don't want to open all ports.
>> Any help is appreciated.  I'm guessing it's a Smart Defense thing,
>> but am not sure.
>>
>> Nathan
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages, send an email to
>> LISTSERV AT amadeus.us.checkpoint DOT com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list, please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your subscription options,
>> email fw-1-owner AT ts.checkpoint DOT com
>> =================================================
>
>
> --
> Reinhard Stich  ASSIST  R.Stich AT internet-security DOT at
> Internet Security AG,      1150 Wien, Johnstrasse 29
> Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================