Some simple tests to isolate the problem would be to
try the ftp session *from* the FWTK box directly ...
still a problem ? (maybe it is ftp-gw) Not? then
it looks like their problem.
Realize that when you do a "pwd" or "cd" that you are just
communicating over that established control channel. That
is a client -> server connection
But, when you wish to do a GET, PUT, DIR or ls that you are
actually building a second, data channel between the
2 systems. ... or, in your case, not building that second
The channel can be client -> server to "grab" the data or
could be client <- server to have the data "given" to you.
Snooping, watching truss/trace output and watching the
network stats on my FWTK box shows that the ftp-gw
process get the client "PORT clientip,clientport" command
and tells the remote server side "PORT firewallip,20" ...
so the remote server should connect *back* to your
FWTK box to give you the data. (I should have just
read the source code, I know). ... my fwtk is 2.0
From: Bob Gerrish[SMTP:u-rpg @
Sent: Friday, September 26, 1997 10:10 AM
To: firewalls @
Subject: Checkpoint and FWTK 1.2 ftp proxy hangs
I ran into a problem between Firewall Toolkit's ftp-gw proxy server and
Checkpoint. One of our trading partners purchased it from a consultant.
We were using the ftp-gw proxy from our end to transfer files. Checkpoint
was installed on the other end on an NT server. We could still ftp to
their system. pwd and cd worked but the connection hung when we tried to
do a get, put or dir. If we connected outside of the firewall, everything
worked fine. Of course, according to their consultant, it was our problem
and Checkpoint could never possibly have any bugs! We had no problem
connecting to/through other firewalls including wrappers and Gauntlet.
(They have since had another customer experience the same problem.)
They found that the ftp process was not sending a new line (or perhaps a
CR/LF) and they hacked Checkpoint to add it. We found that upgrading to
FWTK 2.0 also solved the problem. The only documented patch to any
version of ftp-gw (the patch was for version 1.2) which looked even close
was one to "Fixed timeout code in ftp-gw to be more forgiving of systems
that decrement the passed timeout value."
They are supposed to call next week when their consultant is in so we can
determine which was the actual problem and what actually cured it.