By default, FireWall-1 demands every ftp
control packet to end with a new-line character. Keep-alive packets do not
end with a new-line character and therefore are rejected causing FTP data
traffic failures. For more information on the internal functions of the
FTP Service, please refer to the Request For Comment (RFC) white papers on
FTP: RFC 959 - File Transfer Protocol (FTP) RFC 2228 - FTP Security
Extensions
The FTP service definition in FireWall-1
can be modified to allow keep-alive packets without new line characters.
To do this, it is necessary to modify the $FWDIR/lib/base.def file on the
Management station to turn off the new-line characters check.
PROCEDURE:
Open base.def using a text editor (do not use a word processor) and find
the line:
#define FTP_ENFORCE_NL
change this to:
// #define FTP_ENFORCE_NL
NOTE: commenting out this line disables an FTP Security check, and
therefore reduces the level of security provided by FireWall-1.
In FireWall-1 NG AI R54, an alternative check has been added to the
firewall kernel, triggered by the line:
#define FTP_CHECK_PACKET
if this line exists in the base.def file, and is not commented out, it is
safe to comment out the "FTP_ENFORCE_NL" line without reducing the level
of security.
Post FP3
Alternately, FireWall-1 NG AI R54
has added a new FTP protocol type to the FTP service in the Advanced
Properties, called "ftp_basic". This protocol uses a reduced set of
security checks, but can be useful when experiencing connectivity issues
with FTP.
In the FTP service object > Advanced
Properties, Change ftp service protocol type to "ftp_basic" and install
policy. The "ftp_basic" option does not enforce newline character
checking.
Using "ftp_basic" eliminates known connectivity problems with FTP
implementations that are not fully RFC compliant. This protocol type
enforces a reduced set of FTP security checks as opposed to those done by
the regular FTP protocol type.
"ftp_basic" DOES NOT perform the following checks implemented in the
standard FTP service object:
1) Every packet is terminated with a newline character, so the PORT
command is not split across packets. This protects against FTP Bounce
attack.
2) Data connections to or from well-known ports are not allowed, to
prevent FTP data connection being used to access some other service.
3) Bidirectional traffic on data connection is not allowed, as it can be
used improperly.
<
back