HPE Community
Operating System - HP-UX
1822143 Members
3824 Online
109640 Solutions
New Discussion юеВ

FTP Server connection via Checkpoint firewall

 
Youlette Etienne_2
Regular Advisor

тАО02-20-2001 09:35 AM

тАО02-20-2001 09:35 AM

FTP Server connection via Checkpoint firewall

Hello everyone,

I have a wu-ftp server that is on an e25, OS 11.0. The server has been placed in the DMZ and only ftp is allowed to this server via the Checkpoint version 4 firewall. Internally, only one UX server will be allowed to ftp to the e25. We are still in the development/testing phase and the firewall currently allows any ftp connection.

We are encountering the following problem. We were able to open an ftp connection from the k200 to the e25, and log in as a restricted user. However, we could not establish another concurrent ftp connection from the k200 or from any other source. The network admin could see that a connection was established via some tool on the network, however, the 'ftp open IP address' command froze. Neither 'netstat -a' nor the syslog.log file showed any established ftp connections. The second ftp session would then timeout.

When I used the close/bye command to exit the first ftp session, it seemed to freeze for a few minutes. I would then have to use ctrl+C to close the session. 'netstat -a' and the syslog.log files would show that the connection was terminated.

Then, when I attempt to open a new session from the k200, after closing the first session, the network would show that there is a connection, but the ftp would, again, not connect, and would timeout.

'netstat -a' lists ftp as 'LISTENING'. To establish another ftp session, I have to reboot the e25/ftp server. Then the same problem occurs.

One more thing, with an established ftp connection, I can initiate a local ftp connection on the server itself.

Before the server was placed in the DMZ, I setup wu-ftp and was able to open concurrent ftp sessions, even after disabling ports in /etc/services.

Since the firewall is a checkpoint firewall, HP no longer supports this as of May last year. Before I have the network admin contact their firewall support, I wanted to get some input from the forum first, since I have gotten help on several problems. Any help will be greatly appreciated.

Please let me know if you need additional information.

Thanks

Youlette
Thanks
If at first you don't succeed, change the rules!
0 Kudos
Reply
2 REPLIES 2
James A. Donovan
Honored Contributor

тАО02-21-2001 11:42 PM

тАО02-21-2001 11:42 PM

Re: FTP Server connection via Checkpoint firewall

Just a thought...Are you running the ftp sevice in daemon mode or via inetd? One possible explanation of the behavior you are seeing could be if your FTP server was running FTP via inetd, and inetd.conf specified "wait" instead of "nowait". I.e. single thread vs. multi-threaded.
Remember, wherever you go, there you are...
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО02-22-2001 01:32 AM

тАО02-22-2001 01:32 AM

Re: FTP Server connection via Checkpoint firewall

Hi,

Special care has to be taken between passive and non-passive FTP connections. Your control connections would go through the firewall but your data connections may have been blocked.

First, check the Checkpoint firewall log for any dropped or rejected packets to and fro the FTP client and FTP server. If there are any drops, identify the rule to add to ensure that the FTP data connection is accepted.

In my environment, a range of ports have to be opened at the FTP server (source) to port 20,21 of the FTP client (destination) at the firewall rulebase.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.