Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] FTP problem

from Figaro, Nicolas [Permanent Link]
Subject: Re: [FW-1] FTP problem
From: "Figaro, Nicolas" <nfigaro AT CDCIXIS-CM DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 30 Apr 2004 15:35:39 +0200 
Here is an extract of the excellent nokia knowledge base :

Resolution 15286: How do I configure FireWall-1 to allow "out-of-state"
packets for specific TCP services?

Subject:                How do I configure FireWall-1 to allow
"out-of-state" packets for specific TCP services?
Product Line:           Firewalls
Category:               VPN-1/Firewall-1
Version:                5.0 FP2 Only
Date Modified:          02/19/2004

Description:
It is desirable to allow some applications to not maintain proper TCP
state. FireWall-1 NG is much more picky about TCP state than in previous
versions of FireWall-1, as such some applications have issues. Some
error messages you might see as a result of this include:

"Unexpected post SYN packet"
"SYN packet for established connection"

Solution:
NG FP2 and above provides a functionality that allows TCP packets even
if they don't conform to Check Point's idea of state. This appears to
allow out-of-state TCP packets for specific services provided the
packets would normally be passed by the rulebase. To do this, edit
$FWDIR/lib/user.def on the management and add the following line (in
bold):

#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

deffunc user_accept_non_syn() { dport = 22 };

#endif /* __user_def__ */


The INSPECT code between the curly-braces defines the service(s) you
wish to allow. The above example is ssh (TCP port 22). To define
multiple services, replace the bolded line above with:

deffunc user_accept_non_syn() { dport = 22 or dport = 443 or dport = 389
};

The preceeding example allows ssh (port 22), https (port 443) and ldap
(port 389).

To permit non-SYN packets between hosts a.b.c.d and x.y.z.w in addition
to non-SYN packets on port 22, use the following:

deffunc user_accept_non_syn() { (src=x.y.z.w, dst=a.b.c.d) or
(src=a.b.c.d, dst=x.y.z.w) and dport=22 };

If the rulebase is constructed carefully enough, this should be
relatively safe from an ACK-type Denial of Service as all packets
allowed by this change must still pass the rulebase.

$FWDIR/lib/user.def is likely to get overwritten or ignored on an
upgrade, so you will likely have to re-apply this change when you
upgrade.

I hope this one will help you solve your problem.

Are you using any cluster installation (vrrp, cluster xl, nokia ipso
cluster ??
(because other resolutions apply to clustering installation).

NF

>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> Of Badhe, Ganesh [ETS/STL]
> Sent: 27 April 2004 14:51
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] FTP problem
>
>
> Hi Ian...
>
> We have not blocked any ftp command and I see this error not
> so frequent, not every time.
>
> I get following message.
>
> "748072" "21Apr2004" "13:57:43" "VPN-1 & FireWall-1" "eth-s2p1c0"
> "emrnfw001" "Log" "Drop" "ftp" "Srvr_172.22.227.70"
> "Div_Srvr_192.168.3.2" "tcp" "" "52626" "" "th_flags: 18;
> message_info:
> TCP packet out of state; "
>
> Thanks and Regards,
> Ganesh
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> Of Ian Brown
> Sent: Tuesday, April 27, 2004 2:39 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] FTP problem
>
> Have a look in smartdefence, and see if there is any ftp
> command blocking enabled
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> Of Badhe, Ganesh [ETS/STL]
> Sent: 26 April 2004 21:29
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] FTP problem
>
>
> Hi
>
> I have Checkpoint NG FP3 and observed particular FTP issue.
>
> I have allowed firewall rule for FTP and still it drops FTP
> packet for particular functionality like deletion of file.
>
> Anyone has idea what could be issue?
>
> Thanks and Regards,
> Ganesh Badhe
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] FTP problem, Ian Brown
Next by Date:  [FW-1] Failed to Read Record Number in firewall log, theG man
Previous by Thread:  Re: [FW-1] FTP problem, Ian Brown
Next by Thread:  [FW-1] VPN Client and Win2k, Mitesh Shetty/MUM/IN/STTL
Indexes:  [Date] [Thread] [Top] [All Lists]