Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Nov 2000 17:09:19 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        dg@root.com
Cc:        cjclark@alum.mit.edu, des@ofug.org (Dag-Erling Smorgrav), tlambert@primenet.com (Terry Lambert), chat@FreeBSD.ORG
Subject:   Re: ftp.freebsd.org b0rked?
Message-ID:  <200011101709.KAA21198@usr08.primenet.com>
In-Reply-To: <200011092225.OAA08474@implode.root.com> from "David Greenman" at Nov 09, 2000 02:25:28 PM

next in thread | previous in thread | raw e-mail | index | archive | help
> >Better late than never? We had a problem with our FW-1 after an
> >"upgrade." Here is a source that sums up the different approaches to
> >the issue,
> >
> >  http://www.securityportal.com/topnews/weekly/checkpoint20000918.html
> >
> >Scroll down to the "Multiple Problems with FTP After Upgrading"
> >section. HTH.
> 
>    I don't see how dg-ftpd is doing anything wrong. It always replies with
> CRLF terminated lines on the command channel as RFC-959 requires. ...so I
> don't think this is the cause.
>    The problem appears to be a real bug in the checkpoint firewall code.

I can guarantee you that there is a real bug in the session
state tracking on these things, in at least one revision of
their code.  IBM "Home Page Creator", the IBM web site hosting
services, were behind a firewall with the bug, at one point.


My suggestion would be to do the following:

1)	hack a copy of the ftpd up to put out three digit
	tuples in all cases; if the address is "192.168.11.3",
	have it use "192.168.011.003" on the wire.

2)	Put the modified ftpd up at a different port, so it
	doesn't interfere with active users, during the
	experiment.

3)	Have the people having problems use ncftp to try and
	FTP from the modified daemon.  The reason for ncftp
	is the ability to specify a port using the "-p"
	command line argument (regular FTP can't do this, for
	some dumb reason).

Now that I _know_ there is one of these firewall boxes upstream,
it seems to me that there is no doubt but that this is the state
tracking bug for these boxes.

I think the only options are to run with the modified FTP after
that, or get rid of the firewalls, and replace them with something
else, since the last I had heard, there was no software fix for
them.  You might want to check with Evan Oldford to see if this
has changed; if you buy him lunch, he might find it worth his time
to track this down (it would take some work on his part to do it,
but he has all the necessary contacts into the IBM HPC folks).


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011101709.KAA21198>