service check on FW4.1

[trashit]

I'm having a problem ftping; mainly, if the data port the client and server are using to connect is already registered to a service on the firewall, it fails. phoneboy.com has a solution for 4.0, which is to turn off the service checking. I've gotten this to work in the past on a 4.0 box, but I can't seem to get ti working on my 4.1 box. Anyone have any suggestions?

ex log entry:

non-passive mode:

action service source destination prot rule s_port
"reject" "2095" "[server]" "[client]" "tcp" "0" "ftp"
reason: tried to open tcp service port, port: MPEG"

passive-mode:

action service source destination prot rule s_port
"reject" "ftp" "[client]" "[server]" "tcp" "0" "1561"
reason: tried to open tcp service port, port: pptp-tcp"

In the reason, it says "tried to open tcp service port" and then the service it wants to see there instead of ftp-data. Any idea how to tell it not to check what the port's supposed to be, or if this is even the best option???

Thanks,
moi
[sig][/sig]

 

[Phant]

What ftp site fails?
Phant [sig][/sig]

 

[trashit]

It's not external sites, it's interal. Here's the architecture of my network:
Internet
|
|
external interface
|
--internal_interface0--Firewall--internal_interface1--
| | |
| | |
Internal Network | Internal Network
(private1) | (public1)
|
|
|
--internal_interface2---------internal_interface3--
| |
| |
Internal Network Internal Network
(private2) (private3)


So, I've got an ftp server on the public1 network, which isn't allowed access back to any of the private network, hence I have the clients on the private networks using passive mode. The problem is, whenever a connection is initiated to the server, as per the ftp protocol the client and server work out a number of data ports they're going to transfer on (usually TCP high ports above 1024). However, if any of the ports they negotiate are in the firewall's database as being assigned to other services, the firewall won't let it through becuase of rule 0. (The reasons for this are pretty straightforward; in theory, if the server allowed ftp-data to go through on other services' ports, then someone could port-spoof by making their packet look as if it's an ftp-data packet, when in actuality they just want to get access to whatever the high port is on the server). This occurs with anyone, internally or externally, connecting to the ftp server.

On the bright side, I did find a solution to this; create a service, called anything (I called it ftp-ports), and make the port >1024. (basically, identical to the service TCP HIGH PORTS). You don't actually have to use it in a rule, just create it. It seems to make the firewall bypass the check against the services table, and allows all transfers to pass in the range you specified provided they are ftp-data.

On the downside, I'm not sure I like this solution. The checks are there for a reason; bypassing doesn't seem Kosher to me.

Anyone have an opinion?

Sorry about the bad ASCII graphics; let me know if you have issues following the diagram.


[sig][/sig]