From owner-freebsd-chat  Thu Nov  9 14:27:32 2000
Delivered-To: freebsd-chat@freebsd.org
Received: from implode.root.com (root.com [209.102.106.178])
	by hub.freebsd.org (Postfix) with ESMTP id 977E937B479
	for <chat@FreeBSD.ORG>; Thu,  9 Nov 2000 14:27:17 -0800 (PST)
Received: from implode.root.com (localhost [127.0.0.1])
	by implode.root.com (8.8.8/8.8.5) with ESMTP id OAA08474;
	Thu, 9 Nov 2000 14:25:28 -0800 (PST)
Message-Id: <200011092225.OAA08474@implode.root.com>
To: cjclark@alum.mit.edu
Cc: Dag-Erling Smorgrav <des@ofug.org>,
	Terry Lambert <tlambert@primenet.com>, chat@FreeBSD.ORG
Subject: Re: ftp.freebsd.org b0rked? 
In-reply-to: Your message of "Thu, 09 Nov 2000 10:41:10 PST."
             <20001109104110.A91691@149.211.6.64.reflexcom.com> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Thu, 09 Nov 2000 14:25:28 -0800
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>On Tue, Oct 31, 2000 at 10:11:38AM +0100, Dag-Erling Smorgrav wrote:
>> Terry Lambert <tlambert@primenet.com> writes:
>> > I have seen this with particular firewalls (I think CheckPoint
>> > was one), where they attempt to do state tracking on FTP, and
>> > fail to be able to do that and do address rewriting at the same
>> > time.
>> 
>> Not relevant. I'm using real IP addresses and the connection is
>> dropped immediately after the PASS command, no matter what password I
>> actually send. There is a FW1 upstream, but it's supposed to let all
>> traffic to and from my subnet through untouched.
>> 
>> David - is there any way we can try to debug this? I guess the first
>> thing to try is if it's specific to dgftpd - do you have another site
>> that runs dgftpd I can test against?
>
>Better late than never? We had a problem with our FW-1 after an
>"upgrade." Here is a source that sums up the different approaches to
>the issue,
>
>  http://www.securityportal.com/topnews/weekly/checkpoint20000918.html
>
>Scroll down to the "Multiple Problems with FTP After Upgrading"
>section. HTH.

   I don't see how dg-ftpd is doing anything wrong. It always replies with
CRLF terminated lines on the command channel as RFC-959 requires. ...so I
don't think this is the cause.
   The problem appears to be a real bug in the checkpoint firewall code.

-DG

David Greenman
Co-founder, The FreeBSD Project - http://www.freebsd.org
President, TeraSolutions, Inc. - http://www.terasolutions.com
Pave the road of life with opportunities.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message