Re: Checkpoint vs FTP/PASV [Solved]

Thanks for the follow-up. I was wondering what it could be.

Take care,

Ray

"Ascadix" <ascadix.ng@xxxxxxx> wrote in message
news:466895e3$0$5078$ba4acef3@xxxxxxxxxxxxxxxxx
SmartDefense doesn't like that my FTP put is public adresse in the PASV
answer while it is in my DMZ with a private IP, it need that the FT
Panswer with its private adresse and the CheckPoint swap private / public
IP while PASV answer go across the FW.

Hello

I have a pb with a checkpoint FW

i have set up a FTP server on my DMZ, added a rule FTP in my FW,but
clients have pb in some cases

- connexion : ok
- login / password : ok

- data exchange in PORT mode : all is ok.

- if a client try to switch to PASV mode ..the FW cut the connexion
when the server reply to PASV

the log on the FW is from to the "SmartDefense" module :

* Attack name : FTP Bounce
* Attack Info : IP adress mismatch in PORT/227 command - header IP
* different from command IP
* service : ftp (21)
* source : X.X.X.X
* target : X.X.X.X

"source" is the IP of ftp client ( on internet )
"target" id the public IP adress of my FTP server

When i check log on my fTP client and server :

- last line on client before disconnect is: "PASV"
- last line on server is "227 Entering Passive Mode (x,x,x,x,215,36)
" ( x.x.x.x is public IP of my FTP server, port is in the good range
)
If i uncheck the "FTP Bounce protection" in the SMARTDEFENSE module,
no more pb, so i think that all rules are fine, good port are open
..just this damned smartdefense pb.

anyone have i idea on this ? is it possible to correct something ? if
possible, i'd prefer to reactivate this protection.

Sorry for my english ..i don't use it very often.
Thanks in advance



.

Relevant Pages

  • Re: How to make ftp server less verbose
    ... > modem-equipped devices to our FTP server and we found that FTP protocol ... suspect the response messages as being a significant portion of that. ... writing a relatively simple proxy in front of the FTP server? ... you'll need to pass on faithfully to the FTP client is the 227 response from ...
    (microsoft.public.inetserver.iis.ftp)
  • ftp data doesnt get natted when leaving network
    ... I have a setup where there is a M$ ftp server behind an 3.4 firewall. ... The machines on the inside all use private IP addresses. ... http, https, ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Microsoft FTP Server problem on W2K?
    ... It is a UNISYS ClearPath mainframe system that is trying to FTP using ... passive mode to a MS FTP server. ... Currently the mainframe FTPs in ACTIVE mode. ... Since the mainframe pushes files to our customers over a WAN connection, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Internet Explorer Keeps Timing out on FTP
    ... > This is a problem with the FTP client. ... When the PORT command is used, the FTP client is asking the FTP server to ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: FTP Upload
    ... FTP server to the following specified size. ... //set or get the remote path of the FTP server that you want to connect. ... //set the class MessageString. ...
    (microsoft.public.dotnet.framework.aspnet)