[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Reverse socket proxying... (wait for it) FTP thru FW1
Greetings, I'm sure someone out there in list-land is doing this, so here goes. I'm stuck with the problem of how to securely allow ftp transfers from the internet to an NT ftp server on the internal network. Putting the ftp server in a DMZ isn't really an option since due to other requirements, full NetBIOS functionality also needs to be used to the ftp server (yes that old chestnut again). The suggested solution was to use Microsoft Proxy v2 to reverse proxy the ftp connections to the internal ftp server via a DMZ located proxy server. The problem is that while CMD connections from the proxy to the internal ftp server work fine (the ftp server sees the IP of the proxy as you'd expect), the DATA connections appear to still have the external IP of the client in them, and so the firewall is rejecting the connections on rule 0 (Tried to open other host) - this is normal functionality to prevent ftp port bouncing. Of course, the reason for this is that the proxy software isn't replacing the clients IP address in the normal PORT command with the proxys IP. Interestingly, the firewall appears not only to recognise the "port bounce", but it reacts by killing the already allowed CMD connection as a result. Surely someone out there must have some method of reverse proxying FTP connections - or is there another way of doing this? To reiterate: 1) The ftp server cannot sit on a DMZ because I *REFUSE* to allow NetBIOS through my firewalls in any way, shape or form, for well-known and lamented reasons. 2) FTP has to be used (as opposed to nice clean transfer utils like Connect Direct et al) because the requirement is that the customer cannot use any third-party or non-standard software. 3) We've tried active ftp and passive ftp, but neither appear to work for some reason. I had hedged my bets on passive, since the data connection is initiated by the client so there's no reverse connection from the ftp server, however the proxy software doesn't appear to make any attempt to change the internet address in the PORT command to that of the proxy, so the firewall burps loudly and rejects the connection. Any experiences or solutions to this particular problem would be greatly appreciated. Cheers, FirewallyGuy. ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|