netbsd-users: Re: IPF, IPNAT, and FTP data connections

Subject: Re: IPF, IPNAT, and FTP data connections
To: henry nelson <netb@irm.nara.kindai.ac.jp>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 10/01/2001 20:51:38

In message <20011002092533.A5967@irm.nara.kindai.ac.jp>, henry nelson writes:
>> > >I've come to the conclusion that it is the server's setup that is causing
>> > >this problem.  If you are connected with
>> > >        "ftp.netbsd.org FTP server (NetBSD-ftpd 20010417) ready."
>> > >or a like server (most netbsd repositories), it always fails in this mann
>er.
>[...]
>> > I missed the original post, but it sounds like the old clash between 
>> > (some) Checkpoint firewalls and NetBSD's ftpd.  Is the client behind a 
>> > Checkpoint firewall?
>
>Although it is not possible for me to validate this with 100% certainty,
>as far as I was able to determine all my clients are behind a "CheckPoint
>FireWall-1 VPN-1."
>
>Is there anything that can be done?  Since the firewall is out of my
>jurisdiction, my hands are tied.  Unfortunately our "sysadmin" is just
>another employee, overworked and underpaid, and with no expertise other
>than being self-taught (highly commendable).  The firewall servers
>were set up by the people who sold the machines, and it is well nigh
>impossible to have them send some support personnel.
>
>This ftp server/firewall conflict has seriously crimped my ability to
>update the NetBSD binaries.  I am down to _one_ mirror which does not use
>the NetBSD ftp server.  When they switch over, I will be forced to give
>up on NetBSD.  I do not lie when I say I am VERY sad.
>
>> The clients are running command line Microshaft FTP behind a NetBSD
>> firewall using standard IPNAT and IPF filters.
>
>Totally false.  I use the ftp clients bundled with NetBSD1.4.3 and 1.5.1,
>and with Solaris2.6.  I also use WSFTP by IPSWITCH, which, BTW, I can highly
>recommend on the basis that their support team and programmers really care
>about producing a superior product that follows the specs.
>
>-- 
>henry nelson
>
OK -- here's the advice from the firewall administrator here:

	Ok, if they are running Checkpoint FW-1, try comment out the following line in
	$FWDIR/lib/base.def and reinstall the policy:

	#define FTP_ENFORCE_NL

Unfortunately, I don't recall what behavior in ftpd this is intended to 
cope with...

		--Steve Bellovin, http://www.research.att.com/~smb
				  http://www.wilyhacker.com