Checkpoint vs FTP/PASV

Checkpoint vs FTP/PASV

am 02.06.2007 18:16:55 von Ascadix

Hello

I have a pb with a checkpoint FW

i have set up a FTP server on my DMZ, added a rule FTP in my FW,but clients
have pb in some cases

- connexion : ok
- login / password : ok

- data exchange in PORT mode : all is ok.

- if a client try to switch to PASV mode ..the FW cut the connexion when the
server reply to PASV

the log on the FW is from to the "SmartDefense" module :

* Attack name : FTP Bounce
* Attack Info : IP adress mismatch in PORT/227 command - header IP
* different from command IP
* service : ftp (21)
* source : X.X.X.X
* target : X.X.X.X

"source" is the IP of ftp client ( on internet )
"target" id the public IP adress of my FTP server

When i check log on my fTP client and server :

- last line on client before disconnect is: "PASV"
- last line on server is "227 Entering Passive Mode (x,x,x,x,215,36) " (
x.x.x.x is public IP of my FTP server, port is in the good range )

If i uncheck the "FTP Bounce protection" in the SMARTDEFENSE module, no more
pb, so i think that all rules are fine, good port are open ..just this
damned smartdefense pb.

anyone have i idea on this ? is it possible to correct something ? if
possible, i'd prefer to reactivate this protection.

Sorry for my english ..i don't use it very often.
Thanks in advance

--
@+
Ascadix
adresse @mail valide, mais ajoutez "sesame" dans l'objet pour que ça arrive.

Re: Checkpoint vs FTP/PASV

am 06.06.2007 22:57:19 von CosmicV

On Jun 2, 11:16 am, "Ascadix" wrote:
> Hello
>
> I have a pb with a checkpoint FW
>
> i have set up a FTP server on my DMZ, added a rule FTP in my FW,but clien=
ts
> have pb in some cases
>
> - connexion : ok
> - login / password : ok
>
> - data exchange in PORT mode : all is ok.
>
> - if a client try to switch to PASV mode ..the FW cut the connexion when =
the
> server reply to PASV
>
> the log on the FW is from to the "SmartDefense" module :
>
> * Attack name : FTP Bounce
> * Attack Info : IP adress mismatch in PORT/227 command - header IP
> * different from command IP
> * service : ftp (21)
> * source : X.X.X.X
> * target : X.X.X.X
>
> "source" is the IP of ftp client ( on internet )
> "target" id the public IP adress of my FTP server
>
> When i check log on my fTP client and server :
>
> - last line on client before disconnect is: "PASV"
> - last line on server is "227 Entering Passive Mode (x,x,x,x,215,36) " (
> x.x.x.x is public IP of my FTP server, port is in the good range )
>
> If i uncheck the "FTP Bounce protection" in the SMARTDEFENSE module, no m=
ore
> pb, so i think that all rules are fine, good port are open ..just this
> damned smartdefense pb.
>
> anyone have i idea on this ? is it possible to correct something ? if
> possible, i'd prefer to reactivate this protection.
>
> Sorry for my english ..i don't use it very often.
> Thanks in advance
>
> --
> @+
> Ascadix
> adresse @mail valide, mais ajoutez "sesame" dans l'objet pour que =E7a ar=
rive.

Is this connection to your FTP server being NATed per chance? I could
understand the problem if thats the case.

Re: Checkpoint vs FTP/PASV [Solved]

am 08.06.2007 00:52:23 von Ascadix

SmartDefense doesn't like that my FTP put is public adresse in the PASV
answer while it is in my DMZ with a private IP, it need that the FT Panswer
with its private adresse and the CheckPoint swap private / public IP while
PASV answer go across the FW.

> Hello
>
> I have a pb with a checkpoint FW
>
> i have set up a FTP server on my DMZ, added a rule FTP in my FW,but
> clients have pb in some cases
>
> - connexion : ok
> - login / password : ok
>
> - data exchange in PORT mode : all is ok.
>
> - if a client try to switch to PASV mode ..the FW cut the connexion
> when the server reply to PASV
>
> the log on the FW is from to the "SmartDefense" module :
>
> * Attack name : FTP Bounce
> * Attack Info : IP adress mismatch in PORT/227 command - header IP
> * different from command IP
> * service : ftp (21)
> * source : X.X.X.X
> * target : X.X.X.X
>
> "source" is the IP of ftp client ( on internet )
> "target" id the public IP adress of my FTP server
>
> When i check log on my fTP client and server :
>
> - last line on client before disconnect is: "PASV"
> - last line on server is "227 Entering Passive Mode (x,x,x,x,215,36)
> " ( x.x.x.x is public IP of my FTP server, port is in the good range
> )
> If i uncheck the "FTP Bounce protection" in the SMARTDEFENSE module,
> no more pb, so i think that all rules are fine, good port are open
> ..just this damned smartdefense pb.
>
> anyone have i idea on this ? is it possible to correct something ? if
> possible, i'd prefer to reactivate this protection.
>
> Sorry for my english ..i don't use it very often.
> Thanks in advance

Re: Checkpoint vs FTP/PASV [Solved]

am 09.06.2007 04:28:30 von jj

Thanks for the follow-up. I was wondering what it could be.

Take care,

Ray

"Ascadix" wrote in message
news:466895e3$0$5078$ba4acef3@news.orange.fr...
> SmartDefense doesn't like that my FTP put is public adresse in the PASV
> answer while it is in my DMZ with a private IP, it need that the FT
> Panswer with its private adresse and the CheckPoint swap private / public
> IP while PASV answer go across the FW.
>
>> Hello
>>
>> I have a pb with a checkpoint FW
>>
>> i have set up a FTP server on my DMZ, added a rule FTP in my FW,but
>> clients have pb in some cases
>>
>> - connexion : ok
>> - login / password : ok
>>
>> - data exchange in PORT mode : all is ok.
>>
>> - if a client try to switch to PASV mode ..the FW cut the connexion
>> when the server reply to PASV
>>
>> the log on the FW is from to the "SmartDefense" module :
>>
>> * Attack name : FTP Bounce
>> * Attack Info : IP adress mismatch in PORT/227 command - header IP
>> * different from command IP
>> * service : ftp (21)
>> * source : X.X.X.X
>> * target : X.X.X.X
>>
>> "source" is the IP of ftp client ( on internet )
>> "target" id the public IP adress of my FTP server
>>
>> When i check log on my fTP client and server :
>>
>> - last line on client before disconnect is: "PASV"
>> - last line on server is "227 Entering Passive Mode (x,x,x,x,215,36)
>> " ( x.x.x.x is public IP of my FTP server, port is in the good range
>> )
>> If i uncheck the "FTP Bounce protection" in the SMARTDEFENSE module,
>> no more pb, so i think that all rules are fine, good port are open
>> ..just this damned smartdefense pb.
>>
>> anyone have i idea on this ? is it possible to correct something ? if
>> possible, i'd prefer to reactivate this protection.
>>
>> Sorry for my english ..i don't use it very often.
>> Thanks in advance
>