FTP to some sites fails

[BarryStiefel]

FTP to some sites fails



There are several different types of sites or proxy configurations that might make FTP fail when passing through FireWall-1. Some of the sites do not send newlines in the same packet as the PORT command. Refer to FTPAndNewlines for more information.

Another possibility is the FTP Data connection is not originating from port 20. FireWall-1 does not, by default, accept FTP Data connections that come from ports other than 20 unless it is a PASV connection. You can modify FireWall-1. Refer to FTP on non-standard ports for details.

Some "suspicious" FTP packets may get dropped in NG AI and above due to enhanced checks on FTP. To prevent FireWall-1 from dropping these packets (and instead rendering them harmless), modify the following line in $FWDIR/lib/base.def on the management station (This will not affect FireWall-1 NG FP3 and earlier versions.):

// #define FTP_CHECK_PACKET

This should be changed to the following and then the policy must be reinstalled on the gateways:

#define FTP_CHECK_PACKET

If a reset packet is seen from the FTP server to FTP client, you may need to increase the Maximum Segment Size (MSS) on your firewall. This is usually only a problem on IPSO. Increase the Maximum Segment Size (MSS) on IPSO by issuing the following command;

# ipsctl -w net:ip:tcp:default_mss 1460

Nokia customers should also refer to KB 3306 in Nokia's Knowledge Base for additional information.

-- PhoneBoy - 16 Jan 2004

FAQForm FAQs.Class: ServicesFAQs FAQs.OS: OsNokiaIPSO FAQs.Version: