FireWall-1 FAQ: FTP on Non-Standard Ports
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
In VPN-1/FireWall-1 NG there's a new way to configure non standard ftp. There is no need to apply changes to the base.def file anymore.
For example: suppose the FTP Server is configured to answer on Control Port 3000.
Proceed as follows: 1. Open the Services window (Manage-->Services). 2. Double click on TCP Services 3. Create a new TCP service. Call it, for example, "ftp-new" 4. In the "Port" field, configure it to 3000 5. Go the Advanced tab and set protocol type to FTP. 6. Add a new rule with the "ftp-new" Service as follows: Source: Any Destination:FTP Server (configured to Port=3000) Service:"ftp-new" Action:Accept 7. Install the Policy.
WarFTPd (and possibly others) have an option to not bind to port 20. For the TIS Tooklit FTP Proxy, install the current version (V2.1), then install the port 20 patch from http://www.fwtk.org/fwtk/patches/patches.html#2.9. Microsoft TechNet entry Q236001, which discusses an issue with Microsoft Proxy Server 2.0 and Microsoft IIS v4.0 FTP Server, also seems to address this issue.
If you know what the FTP data port connection runs on, then you can use the following procedure to enable access. Assume that FTP Server with an IP address of S runs an FTP Server on port C ("Control Port") and uses port D ("Data Port") for the data connection (note that D is usually C - 1).
If the data port is random, you may be able to make this work by using 0 for the data port in the below procedure. For these sites, you may only be able to use them via a passive-mode FTP client.
- Create a service of type other. Name it whatever, match field should contain "tcp, dport=C" (Note this means that the service can not run in FASTMODE)
- Add a rule permitting port C to server S.
- Modify the macros "ftp_accept_port", "ftp_accept_port_enc", and "ftp_accept_port_clear" in $FWDIR/lib/base.def on the management console so that they will watch for FTP PORT commands on the different port from that specific server.
The ftp_accept_port_enc and ftp_accept_port_clear have two lines that look like this. For clarity, the "other stuff" after the semi-colon in this line and before the ">" is represented by "..." and does not need to be changed from it's original values.
record <src,port,dst,20,ip_p; ... > in connections, \ FTP_TRACK_DATA_CONN (port, 20, TCP_TIMEOUT)
You will need to add a check for a connection to server S so that FireWall-1 can allow the connection to port D (the data port). To do this, change the lines so they read:
set sr10 D, dst = S or set sr10 20, \ record <src,port,dst,sr10,ip_p; ... > in connections, \ FTP_TRACK_DATA_CONN (port, sr10, TCP_TIMEOUT)
(The ... corresponds to the stuff in the original statement, which should remain unchanged). In the ftp_accept_port macro, replace "dport = SERV_FTP" with "dport = SERV_FTP or dport = C". 4. Install the security policy.
The same notes apply for FireWall-1 3.x as do for 4.x.
- Define a simple TCP service for port C.
- Create a rule to permit access to server S on port C.
Modify $FWDIR/lib/base.def on the management console. Look for:
dport = SERV_ftp or sport = SERV_ftp
There should be three macros where this shows up:
ftp_accept_port ftp_record_pasv ftp_record_pasv1
Replace [sd]port = SERV_ftp as appropriate with:
(dport = SERV_ftp or dport = C) or (sport = SERV_ftp or sport = C)
- Re-install your security policy.