Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
71727374757677787980
Chapter 7 Troubleshooting Security Servers and Content Security
The FTP security server
Advanced Technical Reference Guide 4.1 June 2000 66
FTP Security Server
In this section
This section describes the permitted FTP security server commands, and how to solve common problems
The FTP security server,” page 66
Resolving Common FTP security server problems,” page 66
The FTP security server
The FireWall-1 FTP security server is optimized for security. Several FTP commands that could present risks
are therefore not implemented:
SOCK commands – commands that allow the user to open sockets (tunneling)
SITE commands – commands that allow the user to send special commands to the ftp server by using the
site resources.
MAIL commands – commands that allow the user to send and use e-mail through ftp.
In addition to these security enhancements, the FTP Security Server provides protection from port spoofing by
not allowing the opening of ports to an IP address that is different from the one used to connect.
All though not recommended, it is possible to allow the usage of all of those commands listed above, which
FireWall-1 by default prohibits.
To allows those commands, create a file called aftpd.conf in the $FWDIR/conf directory and edit the
following lines:
Optimist allows the passage of unlisted commands.
sock_cmd allows SOCK commands to be issued.
port_spoof allows opening ports to different IPs.
site_cmd allows SITE commands to be issued.
mail_cmd allows mail operations to be used.
Resolving Common FTP security server problems
This section lists some common problems and solution from the Check Point Technical Services
SecureKnowledge knowledge base (http://support.checkpoint.com/kb/index.html)
FTP data connections are dropped by the FireWall
Problem Description
FTP data connections are dropped by the FireWall
Error received in the info field of the log viewer
Error: 'reason: tried to open tcp service port, port: <service name>'
FTP Data connections reject on Rule 0FTP data connections are dropped by the FireWall
Fix
There are several things you can do to alleviate this.