Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » can't support FXP?
  •  
coolwd

Messages: 6
Karma: 0
Send a private message to this user
kerio winroute firewall can't support fxp?

i had set a new rule, allow from any to any, sevice any,
and active it, but still it't can't support fxp until i
stop kwf.

anyone can help me?

  •  
Mahmoud

Messages: 7
Karma: 0
Send a private message to this user
coolwd wrote on Mon, 16 February 2004 03:58

kerio winroute firewall can't support fxp?

i had set a new rule, allow from any to any, sevice any,
and active it, but still it't can't support fxp until i
stop kwf.

anyone can help me?



Did you make the NAT settings for this rule?
but they way this is very insecure rule.. It means no firewall.

[Updated on: Mon, 16 February 2004 03:37]

  •  
coolwd

Messages: 6
Karma: 0
Send a private message to this user
i am only test.
i allow from any to any, any service, equal to no firewall,
but it's can't support fxp.
when i stop kfw, it's support fxp!!!
i don't know why.
  •  
Mahmoud

Messages: 7
Karma: 0
Send a private message to this user
coolwd wrote on Mon, 16 February 2004 04:42

i am only test.
i allow from any to any, any service, equal to no firewall,
but it's can't support fxp.
when i stop kfw, it's support fxp!!!
i don't know why.


You did not answer the first question, Did you do the NAT for this rule?

You should NAT the source to the internet interface IP
that's for outgoing.
  •  
coolwd

Messages: 6
Karma: 0
Send a private message to this user
that's not a question of NAT.
because it's a single machine.
source "any" destination "any" is not NAT.
i just use it as a firewall.
  •  
coolwd

Messages: 6
Karma: 0
Send a private message to this user
get it!
i think it's a bug of service setting.
don't use service definitions.
for example,
if i use port 21 for ftp, then i delete the FTP
definitions of port 21 in service definitions.
and in traffic policy i allow TCP/21 connection.
then it's ok.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
coolwd wrote on Mon, 16 February 2004 07:40

get it!
i think it's a bug of service setting.
don't use service definitions.
for example,
if i use port 21 for ftp, then i delete the FTP
definitions of port 21 in service definitions.
and in traffic policy i allow TCP/21 connection.
then it's ok.


Missed !
This is not a service bug. If you will not use predefined service with enabled FTP protocol inspector, you can't filter FTP traffic for users. Also it will not be possible make connection to FTP server in active mode.

The FXP is "Server to Server file transfer" and it really uses FTP . It is widely used for transferring files between two FTP servers. I guess KWF blocks those type of commands due to enabled Bounce attack protection (FTP server wants to make connection to another computer). It is potentially dangerous to disable that because it can be exploitable (http://www.securityfocus.com/archive/1/3488) for unauthorized portscans, spamming, etc. (like open-relay mailserver or open proxy server). Please look into security log if there is any "bounce attack" message.


             Control     ------------   Control
              ---------->| User-FTP |<-----------
              |          | User-PI  |           |
              |          |   "C"    |           |
              V          ------------           V
      --------------                        --------------
      | Server-FTP |   Data Connection      | Server-FTP |
      |    "A"     |<---------------------->|    "B"     |
      -------------- Port (A)      Port (B) --------------
  •  
coolwd

Messages: 6
Karma: 0
Send a private message to this user
you are right. in security log, there are "[17/Feb/2004 01:41:14] FTP: Bounce attack attempt:...."
kwf take the fxp as a bounce attack.
how can i disable this option?
FXP is more important to me.
  •  
coolwd

Messages: 6
Karma: 0
Send a private message to this user
get it!
still use service definitions.
but set BounceProtect to 0 in winroute.cfg
and restart kwf.

thanks to everyone.
Previous Topic: Problems with RRAS on Windows 2000 Server
Next Topic: SDK for the admin console?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 25 02:48:02 CET 2017

Total time taken to generate the page: 0.00425 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.