Firewall-1 Active FTP Failing
in [Firewalls]
|
From: W on 8 Jun 2010 04:51 With a Firewall-1 release 4 (may be next generation), our internal clients are able to do an ftp active mode connection to some external ftp hosts, and with others the connections do not work. A sniffer and the Firewall-1 security log both pretty clearly show that for the hosts that do not work, Firewall-1 sees the incoming ftp-data connection as not being part of the outgoing ftp connection, and it rejects the incoming ftp-data with the default firewall rule. Both the connections that work and the ones that fail invoke the *identical* line number of the firewall security rules, so it is not a rule issue. I checked the system policy properties, and we do enable both active and passive ftp with checkboxes. Can someone explain why active ftp would work to some external hosts, but not others? -- W
From: Rick on 8 Jun 2010 08:15 W wrote: > With a Firewall-1 release 4 (may be next generation), our internal clients > are able to do an ftp active mode connection to some external ftp hosts, and > with others the connections do not work. > > A sniffer and the Firewall-1 security log both pretty clearly show that for > the hosts that do not work, Firewall-1 sees the incoming ftp-data connection > as not being part of the outgoing ftp connection, and it rejects the > incoming ftp-data with the default firewall rule. > > Both the connections that work and the ones that fail invoke the *identical* > line number of the firewall security rules, so it is not a rule issue. > > I checked the system policy properties, and we do enable both active and > passive ftp with checkboxes. > > Can someone explain why active ftp would work to some external hosts, but > not others? > I recall that active ftp can choose to use different ports. If external hosts have those ports blocked then ftp will fail. Most recommendations I see are that one use 'passive' ftp. BICBW.
|
Pages: 1 Prev: Autorun inf USB virus help Next: AV Security Suite virus removal |