Understanding TCP SYN ACK and discards

I'm have a bit of a problem running an application though my firewall.
I THOUGHT I had all of the correct ports open, but am still having
difficulty.
It's supposed to just be using FTP (p21)
Can someone shed some light on the following?
69.157.73.126 - WAN IP
192.168.1.5 - LAN IP
226.232.132.19 - EX HOST IP

discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
SYN ACK (default)

discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
SYN
(Sequence number not within expected range, possible attack )

discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
SYN ACK (default)

discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
SYN
(Sequence number not within expected range, possible attack )

discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
SYN ACK (default)

Thanks!

Re: Understanding TCP SYN ACK and discards

Frank G wrote:
> I'm have a bit of a problem running an application though my firewall.
> I THOUGHT I had all of the correct ports open, but am still having
> difficulty.
> It's supposed to just be using FTP (p21)
> Can someone shed some light on the following?
> 69.157.73.126 - WAN IP
> 192.168.1.5 - LAN IP
> 226.232.132.19 - EX HOST IP
>
> discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> SYN ACK (default)
>
> discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
> SYN
> (Sequence number not within expected range, possible attack )
>
> discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> SYN ACK (default)
>
> discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
> SYN
> (Sequence number not within expected range, possible attack )
>
> discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> SYN ACK (default)

Could it be you're using passive FTP? FTP is one of the protocols that
use more than one connection (for details see [1]). To allow FTP to
traverse NATing firewalls you need connection tracking to match the
second (data) connection to the first (control) connection.

[1] http://slacksite.com/other/ftp.html

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Understanding TCP SYN ACK and discards

Thanks, that DOES shed some light!

On Aug 23, 11:00 am, Ansgar -59cobalt- Wiechers
wrote:
> Frank G wrote:
> > I'm have a bit of a problem running an application though my firewall.
> > I THOUGHT I had all of the correct ports open, but am still having
> > difficulty.
> > It's supposed to just be using FTP (p21)
> > Can someone shed some light on the following?
> > 69.157.73.126 - WAN IP
> > 192.168.1.5 - LAN IP
> > 226.232.132.19 - EX HOST IP
>
> > discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> > SYN ACK (default)
>
> > discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
> > SYN
> > (Sequence number not within expected range, possible attack )
>
> > discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> > SYN ACK (default)
>
> > discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
> > SYN
> > (Sequence number not within expected range, possible attack )
>
> > discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> > SYN ACK (default)
>
> Could it be you're using passive FTP? FTP is one of the protocols that
> use more than one connection (for details see [1]). To allow FTP to
> traverse NATing firewalls you need connection tracking to match the
> second (data) connection to the first (control) connection.
>
> [1]http://slacksite.com/other/ftp.html
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich- Hide quoted text -
>
> - Show quoted text -

Re: Understanding TCP SYN ACK and discards

"Frank G" wrote in message
news:1187880650.171709.302210@r23g2000prd.googlegroups.com.. .
> I'm have a bit of a problem running an application though my firewall.
> I THOUGHT I had all of the correct ports open, but am still having
> difficulty.
> It's supposed to just be using FTP (p21)

You also need port 20. (FTP uses two ports)
For active FTP from the server side to the client you need
The FTP server will also need to talk to ports on the client >1023

Being you mention port 21, you may be runing in passive mode, but you would
still need ports .1023 to be available.
> Can someone shed some light on the following?
> 69.157.73.126 - WAN IP
> 192.168.1.5 - LAN IP
> 226.232.132.19 - EX HOST IP
>
> discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> SYN ACK (default)
>
> discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
> SYN
> (Sequence number not within expected range, possible attack )
>
> discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> SYN ACK (default)
>
> discard from 226.232.132.19 port 49371 to 69.157.73.126 port 35526 TCP
> SYN
> (Sequence number not within expected range, possible attack )
>
> discard from 192.168.1.5 port 1172 to 226.232.132.19 port 49371 TCP
> SYN ACK (default)
>
> Thanks!
>

Re: Understanding TCP SYN ACK and discards

Dana wrote:
> "Frank G" wrote:
>> I'm have a bit of a problem running an application though my firewall.
>> I THOUGHT I had all of the correct ports open, but am still having
>> difficulty.
>> It's supposed to just be using FTP (p21)
>
> You also need port 20. (FTP uses two ports)
> For active FTP from the server side to the client you need
> The FTP server will also need to talk to ports on the client >1023

All of the above is only true for active mode. In passive mode it's the
client initiating the data connection, and port 20/tcp is not involved
then. Instead the data connection is established from a port > 1023 on
the client to a port > 1023 on the server.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich