This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jveas
Explorer
‎2024-03-20 09:17 AM

Why is Passive Ftp not working

Ive been having trouble stablishing a passive FTP connection with a host that resides in a public IP. 

The connection itself works, but when i try to transfer or list a file i keep receiving reject from the firewall indicating error (227)

Ive followed the instructions on the sk on this error (227) which is https://support.checkpoint.com/results/sk/sk171375

Remove all FTP services from the rule and use only ftp service. If you want only to use Passive mode FTP, use only ftp-pasv service in the rule. (In addition, this applies if you do not use multiple services with the same port in the same rule.)


Despite the rule is matched, it still gets rejected, as soon as an ls command is issued on the session. High tcp ports are also allowed.

 

Keep receiving the  the same message (227)

I understand that it get's rejected because the client is sending a port command when working in passive mode, but my linux is configured to work on passive mode and it works ok with other hosts... Also the connection from a network outside of the scope of the firewall also work. 

I dont quite understand why does the host try to send a port command, even when the firewall detects it is a passive ftp connection, as it get matched with rule 6..

Wyh does this happen?

 

 

 

Preview file
14 KB
Preview file
21 KB
0 Kudos
2 Replies
the_rock
Legend
Legend
‎2024-03-20 05:48 PM

Can you do zdebug to see if it gives specific reason for the drop?

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-20 06:07 PM

The reject message specifies the exact reason: because a PORT command is received when PASV mode is expected based on the fact you’re only allowing Passive mode via the Access Policy.
The service matched ftp-pasv because that’s what you have in your policy.
It uses the same port as regular FTP, just with different enforcement logic, namely PORT commands are not allowed with PASV.

This is expected behavior.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events