FireWall-1 FAQ: FTP and Newlines
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Some FTP implementations send a PORT command in one packet and the newline character in another. By default, VPN-1/FireWall-1 assumes the PORT command and the newline will appear in the same packet. To enable checking for this, edit $FWDIR/lib/base.def on the management console as follows and reinstall the security policy.
1) (Previous versions of the base.def file indicated that this step was necessary) Comment out the first #define FTPPORT statement, i.e. change
#define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)
to
// #define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)
2) Uncomment the second #define FTPPORT statement, i.e., change
// Use this if you do not want the FW-1 module to insist on a
// newline at the end of the PORT command:
// #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
to
// Use this if you do not want the FW-1 module to insist on a
// newline at the end of the PORT command:
#define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)
Some other sites do not send out a proper newline at all. To resolve this, comment out the following line in $FWDIR/lib/base.def on the management console (i.e., add // at the beginning of the line) and reinstall the policy.
#define FTP_ENFORCE_NL
