Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999-q3

NFR Wizards Archives: AS/400 FTP PASV connections through FW-1

AS/400 FTP PASV connections through FW-1

Glyn Geoghegan (glyngbigfoot.com)
Mon, 08 Nov 1999 19:33:52 +0000

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Stan Anderson: "ICMP"
Previous message: Steven Osman: "Re: Newspaper Article about Cable Modem security"
Next in thread: Glyn Geoghegan: "Re: AS/400 FTP PASV connections through FW-1"
Reply: Glyn Geoghegan: "Re: AS/400 FTP PASV connections through FW-1"

Hi all,

I'm having trouble with AS/400 FTP connections through Firewall-1 (NT4,
FW-1 V4SP4). PASV support is activated in the FW-1 policy, and works
from an NT machine running a PASV client, NAT'd to appear to be the
AS/400 from the outside.

I'm fairly certain it's a failing in the client itself rather than the
Firewall, but since an updated client is unlikely to be available before
the deadline I have for solving this
problem, I'm faced with leaving a very messy 'fix' in place... Read
on...

The AS/400 client appears to being trying to open a PASV data connection
and failing;

1. AS/400 admin can ftp to the NT FTP server in question
2. USER and PASS authentication is successful
3. When an 'ls' command is issued, the operation eventually times out,
and the AS/400 reports that it couldn't complete the PASV data
connection. The FW-1 log
shows a successful initial port 21 connection, and then no further
passed or dropped packets relating to the connection.

NB. The FW-1 in question has been introduced as an Extranet firewall
onto a private 3rd party link. As such, during the migration period the
final rule is an 'Any Any
Any permit' - Having identified 95% of services prior to the install,
I'm now using the last rule as a packet sniffer to account for and
deny/permit any remaining traffic.
As such, if there were any attempt by the AS/400 or NT FTP server to
communicate, it would be passed & logged. Also, an NT PASV client from a
machine
NAT'd to the AS/400's address connects fine and can perform ls' and data
transfers, reporting it's ever increasing port no's along the way.

If I remove the FTP PASV from FW-1 and retry the connection from the
AS/400:
1. AS/400 admin can logon as before
2. "ls" now works fine
3. Data transfers function.

But, this is only because after the initial TCP/21 chatter the
subsequent TCP/>1024 traffic is passed by the 'any any any permit' at
the end.

Is this a know problem with AS/400's? I've asked the admin to check for
a newer release of the PASV client, or even a normal FTP client, but he
didn't hold out
much hope.

I can't stomach the prospect of permitting TCP/>1024 access to the
AS/400 box to get round this problem, as aside from the massive security
faux pas that would
be, I'd have to leave PASV support deactivated on the firewall, which
will undoubtedly cause further problems in the future.

Any ideas? Please also e-mail me the responses, as this project is
severely limiting my time to read the digests...

Edited log extracts below; rule 33 is the 'ftp permit', 39 is the 'any
any any permit'; this is with PASV support off.

"4427" "8Nov1999" "18:40:31" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1157" "" "" "" ""
"" "" "" " len 46"
"4430" "8Nov1999" "18:41:18" "SBIfMP7" "fw1" "log" "accept"
"ftp" "nt_client" "nt-ftp-server" "tcp" "39" "1442" "" "" ""
"as400" "nt-ftp-server"
"10068" "ftp" " len 44"
"4431" "8Nov1999" "18:41:18" "SBIfMP7" "fw1" "log" "accept"
"2756" "nt_client" "nt-ftp-server" "tcp" "39" "1445" "" "" ""
"as400"
"nt-ftp-server" "10070" "2756" " len 44"
"4432" "8Nov1999" "18:41:19" "SBIfMP7" "fw1" "log" "accept"
"2757" "nt_client" "nt-ftp-server" "tcp" "39" "1446" "" "" ""
"as400"
"nt-ftp-server" "10071" "2757" " len 44"
"4433" "8Nov1999" "18:41:21" "SBIfMP7" "fw1" "log" "accept"
"2758" "nt_client" "nt-ftp-server" "tcp" "39" "1447" "" "" ""
"as400"
"nt-ftp-server" "10072" "2758" " len 44"
"4434" "8Nov1999" "18:41:47" "SBIfMP7" "fw1" "log" "accept"
"2759" "as400" "nt-ftp-server" "tcp" "39" "1160" "" "" "" ""
"" "" "" " len 44"
"4435" "8Nov1999" "18:41:51" "SBIfMP7" "fw1" "log" "accept"
"2760" "as400" "nt-ftp-server" "tcp" "39" "1161" "" "" "" ""
"" "" "" " len 44"
"4436" "8Nov1999" "18:42:32" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1150" "" "" "" ""
"" "" "" " len 46"
"4437" "8Nov1999" "18:42:34" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1157" "" "" "" ""
"" "" "" " len 46"
"4442" "8Nov1999" "18:44:35" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1150" "" "" "" ""
"" "" "" " len 46"
"4443" "8Nov1999" "18:44:37" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1157" "" "" "" ""
"" "" "" " len 46"
"4446" "8Nov1999" "18:46:37" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1163" "" "" "" ""
"" "" "" " len 44"
"4447" "8Nov1999" "18:46:39" "SBIfMP7" "fw1" "log" "accept"
"2761" "as400" "nt-ftp-server" "tcp" "39" "1164" "" "" "" ""
"" "" "" " len 44"
"4448" "8Nov1999" "18:46:40" "SBIfMP7" "fw1" "log" "accept"
"2762" "as400" "nt-ftp-server" "tcp" "39" "1165" "" "" "" ""
"" "" "" " len 44"

And now with PASV support on: nt_client with PASV FTP was working during
this period, the AS/400 wasn't.

"4269" "8Nov1999" "17:50:57" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1095" "" "" "" ""
"" "" "" " len 46"
"4270" "8Nov1999" "17:52:27" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1097" "" "" "" ""
"" "" "" " len 44"
"4271" "8Nov1999" "17:53:15" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1098" "" "" "" ""
"" "" "" " len 44"
"4272" "8Nov1999" "17:56:19" "SBIfMP7" "fw1" "log" "accept"
"ftp" "nt_client" "nt-ftp-server" "tcp" "39" "1173" "" "" ""
"as400" "nt-ftp-server"
"poker" "ftp" " len 44"
"4273" "8Nov1999" "17:56:42" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1097" "" "" "" ""
"" "" "" " len 46"
"4274" "8Nov1999" "17:59:07" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1100" "" "" "" ""
"" "" "" " len 44"
"4275" "8Nov1999" "17:59:41" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1098" "" "" "" ""
"" "" "" " len 46"
"4276" "8Nov1999" "18:01:44" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1098" "" "" "" ""
"" "" "" " len 46"
"4277" "8Nov1999" "18:03:24" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1100" "" "" "" ""
"" "" "" " len 46"
"4278" "8Nov1999" "18:03:25" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1098" "" "" "" ""
"" "" "" " len 40"
"4279" "8Nov1999" "18:05:27" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1103" "" "" "" ""
"" "" "" " len 44"
"4280" "8Nov1999" "18:05:50" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1098" "" "" "" ""
"" "" "" " len 46"
"4281" "8Nov1999" "18:07:36" "SBIfMP7" "fw1" "log" "accept"
"ftp" "nt_client" "nt-ftp-server" "tcp" "39" "1233" "" "" ""
"as400" "nt-ftp-server"
"10005" "ftp" " len 44"
"4282" "8Nov1999" "18:07:53" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1098" "" "" "" ""
"" "" "" " len 46"
"4283" "8Nov1999" "18:07:53" "SBIfMP7" "fw1" "log" "reject"
"ftp" "nt_client" "nt-ftp-server" "tcp" "0" "1233" "" "" "" ""
"" "" "" " reason: tried to
open tcp service port, port: vosaic-ctrl"
"4284" "8Nov1999" "18:08:00" "SBIfMP7" "fw1" "log" "accept"
"ftp" "nt_client" "nt-ftp-server" "tcp" "39" "1236" "" "" ""
"as400" "nt-ftp-server"
"10006" "ftp" " len 44"
"4285" "8Nov1999" "18:09:42" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1103" "" "" "" ""
"" "" "" " len 46"
"4287" "8Nov1999" "18:11:26" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1105" "" "" "" ""
"" "" "" " len 44"
"4288" "8Nov1999" "18:15:41" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1105" "" "" "" ""
"" "" "" " len 46"
"4289" "8Nov1999" "18:17:36" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1107" "" "" "" ""
"" "" "" " len 44"
"4290" "8Nov1999" "18:20:16" "SBIfMP7" "fw1" "log" "accept"
"ftp" "nt_client" "nt-ftp-server" "tcp" "39" "1396" "" "" ""
"as400" "nt-ftp-server"
"10030" "ftp" " len 44"
"4291" "8Nov1999" "18:20:42" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1108" "" "" "" ""
"" "" "" " len 44"
"4292" "8Nov1999" "18:21:52" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1107" "" "" "" ""
"" "" "" " len 46"
"4293" "8Nov1999" "18:23:55" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1107" "" "" "" ""
"" "" "" " len 46"
"4294" "8Nov1999" "18:24:05" "SBIfMP7" "fw1" "log" "accept" ""
"nt_client" "smantbif-Inside" "icmp" "6" "" "" "" "" "" "" ""
"" " icmp-type 8
icmp-code 0"
"4295" "8Nov1999" "18:25:41" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "kpop" "" "" "" ""
"" "" "" " len 44"
"4296" "8Nov1999" "18:25:58" "SBIfMP7" "fw1" "log" "accept"
"ftp" "as400" "nt-ftp-server" "tcp" "33" "1107" "" "" "" ""
"" "" "" " len 46"

Cheers,

Glyn.

----------------------------------------------------------------
G l y n G e o g h e g a n Security Consultant
B.Sc. ARCS
T: +44 (0)7710 783 064 ------------- glyngbigfoot.com

Next message: Stan Anderson: "ICMP"
Previous message: Steven Osman: "Re: Newspaper Article about Cable Modem security"
Next in thread: Glyn Geoghegan: "Re: AS/400 FTP PASV connections through FW-1"
Reply: Glyn Geoghegan: "Re: AS/400 FTP PASV connections through FW-1"

This archive was generated by hypermail 2.0b3 on Tue Nov 09 1999 - 05:03:44 CST