Subject: Re: ftp.netbsd.org via CheckPoint FW-1
To: John D Smerdon <jds@smerdon.livonia.mi.us>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 12/23/2002 14:10:46
In message <200212231849.gBNInJU05202@pm73a.smerdon.livonia.mi.us>, John D Smer
don writes:
>When trying to use Mozilla 1.2.1 or MS IE 5.5 to browse
>ftp://ftp.netbsd.org/ I get error messages like "document contains
>no data" or "Cannot find server or DNS error".
>
>A packet trace on the Internet side of the firewall shows the
>"230-\r\n" response packet is sent along with the rest of the ftp
>banner.
>
>A packet trace shows a TCP reset from the Check Point FW-1 NG FP2
>firewall to the client after the "230-" response packet.
>
>Are there any known issues with Check Point firewalls not working
>with the NetBSD FTP server?
>
>Is a "230-\r\n" a valid response or does the ftp response packet
>need a "230 and some text\r\n"?
>
>Outside packet trace:
>
>204.152.184.75 -> 1.1.1.254 FTP R port=10207 220 ftp.netbsd.org F
>1.1.1.254 -> 204.152.184.75 FTP C port=10207 USER anonymous\r\n
>204.152.184.75 -> 1.1.1.254 FTP R port=10207 331 Guest login ok,
>1.1.1.254 -> 204.152.184.75 FTP C port=10207 PASS mozilla@example
>204.152.184.75 -> 1.1.1.254 FTP R port=10207 230-\r\n
>204.152.184.75 -> 1.1.1.254 FTP R port=10207     The NetBSD Proje
>
>Inside packet trace:
>
>204.152.184.75 -> 1.1.1.254 FTP Response: 220 ftp.netbsd.org F
>1.1.1.254 -> 204.152.184.75 FTP Request: USER anonymous
>204.152.184.75 -> 1.1.1.254 FTP Response: 331 Guest login ok,
>1.1.1.254 -> 204.152.184.75 FTP Request: PASS mozilla@example
>204.152.184.75 -> 1.1.1.254 FTP Response: 230-
>1.1.1.254 -> 204.152.184.75 TCP 1793 > 21 [ACK] 
>204.152.184.75 -> 1.1.1.254 TCP 21 > 1793 [RST] 
>
>-- 
>John D. Smerdon                      jds at smerdon.livonia.mi.us
>Livonia, Michigan, US
>

This should be a FAQ:

Try commenting out the following line in

        $FWDIR/lib/base.def and reinstall the policy:

        #define FTP_ENFORCE_NL


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)