FTP not working from Linux clients

[drhex2000]

Hi everybody,

I am new to the forum, great place to find information about Checkpoint!
I am just in the process of setting up a NGX R65 SPLAT Cluster on Dell hardware and can't get FTP to work from my Linux servers (besides miserable performance). Windows clients work just fine, as far as I can say the secure server does not like AUTH or SYST commands and closes the control connection to the outside world on receiving them. All commands are allowed in Smart defense, so I am really unsure what is happening here. If I disallow all commands in SD, QUIT (and the others) start to produce similar effects, but I can't get AUTH and SYST to work. Sadly support has no idea as well, so I am asking you if you have seen this and know remedy.

Thanks in advance,

Florian

[dantro]

Hello Florian,

are you using an FTP ressource object?
Please provide us with the FTP accept rule configured for this communication and with the entry in SmartView Tracker that shows the FTP connection traffic.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[drhex2000]

Hi Danny,

thanks for looking into this.
I do not use an ressource object.
The rule is fairly trivial:
internal network|any|any traffic|ftp,ftp-bidir,ftp.pasv,ftp-port|accept|log
|*|any
Tracker shows the outgoing/incoming FTP traffic on a windows connection just fine:
Number: 279392
Date: 9Aug2007
Time: 14:19:48
Product: VPN-1 Power/UTM
Interface: eth1
Origin: optaukcp01
Type: Log
Action: Accept
Protocol: tcp
Service: ftp (21)
Source: LEONIS
Destination: ftp.mozilla.org
Rule: 8
Current Rule Number: 8-Standard
Rule Name: Outgoing ftp
Source Port: 57012
User: <no_auth>
NAT additional rule number: 0
NAT rule number: 49
Reason: Non-auth login: anonymous
Rule UID: {40BB2E76-131F-475C-AA16-39325614AB60}
SmartDefense Profile: Default_Protection
XlateSPort: 43614
XlateSrc: optauk_cpcluster01
Policy Info: Policy Name: Standard
Created at: Thu Aug 09 11:43:17 2007
Installed from: optats01

Failing Linux ones are neither accepted nor dropped, as they already fail on setup with the secure FTP server.

Thanks,

Florian

[dantro]

(1) Please connect to your firewall cluster and make sure that the member is active.
[Expert@optauk_cpcluster01]# cphaprob stat

(2) Enter the following command:
[Expert@optauk_cpcluster01]# fw monitor -e 'accept((src=63.245.208.138) or (dst=63.245.208.138));'

(3) Connect to LEONIS.

(4) Enter the following command:
LEONIS:~ # ftp ftp.mozilla.org 21
Login as anonymous user (if possible).

(5) Go back to your firewall. Enter Ctrl-C to Stop. Copy and paste us the output.

Btw, you shouldn't need to define ftp,ftp-bidir,ftp-pasv,ftp-port all together. Just ftp (TCP-Port: 21) will do fine.

As a test, please create a new TCP object 'port_21' with Port: 21. Uncheck 'Match for Any' but DON'T touch other settings. Temporary change ftp,ftp-bidir,ftp-pasv,ftp-port from Port 21 to Port 2121. Use the new object port_21 in your Rule #8. Install the policy and check if it works.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[drhex2000]

Hi Danny,

please find the requested output below:

[Expert@optaukcp01]# fw monitor -e 'accept((src=63.245.208.138) or (dst=63.245.208.138));'
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
eth0:i[60]: 172.17.143.12 -> 63.245.208.138 (TCP) len=60 id=2978
TCP: 32904 -> 21 .S.... seq=b287b37b ack=00000000
eth0:O[52]: 63.245.208.138 -> 172.17.143.12 (TCP) len=52 id=0
TCP: 21 -> 32904 .S..A. seq=217d5d26 ack=b287b37c
eth0:i[40]: 172.17.143.12 -> 63.245.208.138 (TCP) len=40 id=2980
TCP: 32904 -> 21 ....A. seq=b287b37c ack=217d5d27
eth0:O[108]: 63.245.208.138 -> 172.17.143.12 (TCP) len=108 id=3600
TCP: 21 -> 32904 ...PA. seq=217d5d27 ack=b287b37c
eth0:i[40]: 172.17.143.12 -> 63.245.208.138 (TCP) len=40 id=2982
TCP: 32904 -> 21 ....A. seq=b287b37c ack=217d5d6b
eth0:i[53]: 172.17.143.12 -> 63.245.208.138 (TCP) len=53 id=2984
TCP: 32904 -> 21 ...PA. seq=b287b37c ack=217d5d6b
eth0:O[40]: 63.245.208.138 -> 172.17.143.12 (TCP) len=40 id=3601
TCP: 21 -> 32904 ....A. seq=217d5d6b ack=b287b389
eth0:O[40]: 63.245.208.138 -> 172.17.143.12 (TCP) len=40 id=3602
TCP: 21 -> 32904 F...A. seq=217d5d6b ack=b287b389
eth0:i[40]: 172.17.143.12 -> 63.245.208.138 (TCP) len=40 id=2986
TCP: 32904 -> 21 F...A. seq=b287b389 ack=217d5d6c
eth0:O[40]: 63.245.208.138 -> 172.17.143.12 (TCP) len=40 id=3603
TCP: 21 -> 32904 ....A. seq=217d5d6c ack=b287b38a
monitor: caught sig 2
monitor: unloading

Again, I do not even get to connect, Secure FTP Server is dropping the connection on the first Auth or SYST sent...

Here's an exmple with AUTH:
[root@devmdbb bin]# ftp -d ftp.mozilla.org 21
Connected to manna.mozilla.org.
220 Check Point FireWall-1 Secure FTP server running on optaukcp01
---> AUTH GSSAPI
421 Service not available, remote server has closed connection
---> AUTH KERBEROS_V4
No control connection for command: Illegal seek
KERBEROS_V4 rejected as an authentication type
Name (ftp.mozilla.org:root): anonymous
---> USER anonymous
No control connection for command: No such file or directory
Login failed.
---> SYST
No control connection for command: No such file or directory
ftp> bye
[root@devmdbb bin]#

Example without AUTH:
[root@devmdbb bin]# ftp -d -u ftp.mozilla.org 21
Connected to manna.mozilla.org.
220 Check Point FireWall-1 Secure FTP server running on optaukcp01
---> SYST
421 Service not available, remote server has closed connection
ftp> bye

Example from Win:
C:\Users\florian>ftp -d ftp.mozilla.org
Verbindung mit manna.mozilla.org wurde hergestellt.
220 Check Point FireWall-1 Secure FTP server running on optaukcp01
Benutzer (manna.mozilla.org:(none)): anonymous
---> USER anonymous
331 (not authenticated): Enter server password
Kennwort:
---> PASS florian@
230-Connected to server. Logging in...
230-220 (vsFTPd 2.0.1)
230-331 Please specify the password.
230 230 Login successful.
ftp> ls
---> PORT 172,17,142,146,223,164
200 PORT command successful. Consider using PASV.
---> NLST
150 Here comes the directory listing.
pub
226 Directory send OK.
FTP: 5 Bytes empfangen in 0,00Sekunden 2,50KB/s
ftp> bye
---> QUIT
221 Goodbye.

So this is related to the secure server in my humble opinion - but I know way to little about CP to make a call on it...

Thanks for looking into this,

Florian

[dantro]

From what I can see there is somekind of misconfiguration.

fw monitor agenda:
i.. incoming connection pre network kernel
I.. incoming connection after passing network kernel
o.. outgoing connection pre network kernel
O.. outgoing connection after network kernel

Now look what you got:
eth0:i[60]: 172.17.143.12 -> 63.245.208.138 (TCP)
eth0:O[52]: 63.245.208.138 -> 172.17.143.12 (TCP)

That's all.

You internal linux host opens an ftp connection and the firewall receives this packet on its external interface eth0. ? Then the following traffic is not getting logged: IoO -> iIo
But the last upper O is getting logged again. Since I don't know better I'd say you have a strange NAT configuration or there something wrong with your network cables.

However, since manna.mozilla.org answers the general connectivity seems to work. But then you are going to AUTH with Kerberos_v4 which is not supported by the mozilla server.
> No control connection for command: Illegal seek
> KERBEROS_V4 rejected as an authentication type

Without a proper control connection all further steps won't work. I've tested it under linux and it works fine. Please check that your linux config is working properly. Use a Knoppix CD to make a simple ftp test from a Live Linux CD.

Your Windows ftp client is not trying to come up with Kerberos. That is why it works.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[drhex2000]

Hi Danny,

thanks again for looking into this!
OK, my config is:

Internal Net <-> eth0(NAT) - eth1 <-> External Net

So if I undestand this correctly, the FW only sends one packet to Mozilla before breaking off, as the Secure FTP server does not pass on the AUTH and SYST FTP commands. Funnily enough, if I use /usr/bin/ftp instead of /usr/kerberos/bin/ftp (my default), it works just fine - this will be my official workaround until CP resolves kerberos FTP with the secure FTP server. Is there any way to configure the FTP commands allowed besides the SD configuration? Afai can say the server blocks some commands regardless of what I set there.

Thanks,

Florian

[dantro]

I'm glad it works now for you. To restrict allowed ftp commands just create an ftp ressource object and use this one instead of a plain ftp or ftp-port object.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[drhex2000]

Hi everybody,
here's the official "solution":

Solution ID: #sk19288



Product: VPN-1 Pro (VPN-1/FW-1)

Version: NG, NG AI

Last Modified: 12-Mar-2007

Symptoms



* RedHat 8 Linux FTP client cannot logon to any FTP servers when a FTP security server is enabled on the firewall

* The FTP session is closed by the firewall as soon as the FTP username is entered during the logon phase



Cause

The FTP client is trying to use Kerberos authentication to logon to the FTP server. The reason the security server blocks the connection is because the client sends the AUTH command before

the USER command, whereas the security server by default blocks all commands that come before the USER command.

Solution

This issue occurs with the RedHat 8 Linux FTP client, and potentially any other KRB5 enabled FTP client.



If an FTP security server is not in use on the firewall, the client will be able to logon to the FTP server, but the following error message may be generated by the FTP client:



KERBEROS_V4 rejected as an authentication type



The FTP security server closes the connection, because the FTP client sends the "AUTH" command instead of the "USER" command to the FTP server. "AUTH" is not an allowed command by the FireWall-1 FTP security server.



To resolve this issue, remove kerberos authentication on the FTP client. One way to accomplish this is to remove /usr/kerberos/* from the $PATH variable on the RedHat 8 FTP client.


Thanks to Danny in helping me get to the bottom of this!

Best regards,

Florian