| |
| |
| FAQ |
| 1. Common questions |
1.1Why we can't
run the more popular FTP client softwares such as WS-FTP, but just
run FTP in Internet Explorer and Netscape? We use NAT with the firewall
connections?
|
1.2.FTP can work on all versions of Netscape and
the lower versions of the fourth
edition IE, but it can't work in the fifth edition
IE. Why?
|
1.3.I want to
hide my address with dynamic NAT.Can I use those private IP addresses?
|
1.4. What will
happen if we use the public IP addresses in the protected network?
|
1.5. When I scaned
the access server ports from external with port scanning
tools, I found out the UDP ports were open in a certain random range.
And all those
open ports would be changed under each operation of the scanning
tools. What the
matter with it? |
1.6. Many firewalls
will allow all packets get through in a short time of boot before
firewalls uploading. Do Amaranten firewalls also meet this kind
of problem? |
1.7. What does
it mean that the parameters /0, /24, and /32 in the firewall configuration
file? |
1.8.My mail servers
are Microsoft Exchange/Lotus Notes/Novell Group Wise or other
group servers. If I put it in DMZ, my computer can't use the advanced
functions which
the server provides. Can I put it inside the protected network and
allow sending mails
on Internet? |
| 2. Questions about Configuration
|
2.1. SAT can not
work normally, so what's the problem? |
| 3. Questions about Log |
3.1.We can just
find the present events but not including the past events when I
choose Show Log in the firewall manager. Is it a failure of sysLog?
|
3.2.The firewall
log tool or the syslog is empty. |
|
|
There are two FTP connection ways: one is for transmitting commands,
the other one is for transmitting
files. And FTP can work in active or passive mode (abbr. PASV
mode). The work modes indicate the
action of FTP servers. FTP often uses Active mode i.e. establishing
data tunnel to the client from the
FTP server, which is not allowed by the firewalls. The Passive
mode allows the client to establish
connections to the server, which is allowed by the firewalls.
Internet Explorer, Netscape are often
configured the Passive mode, and FTP client softwares are always
the Active mode. These settings
can be changed in most FTP softwares though FTP clients can not be
supported in Windows command
mode. Please check FTP help files for more information on how to use
PASV. The Active mode will be
used if setting the fifth edition IE for displaying FTP sites by the
display of local-harddisk; but if the
display way is set as"Displaying FTP sites by Web pages",
the Passive mode must be chosen.
^Top
|
1.2. FTP can work
on all versions of Netscape and the lower versions of the fourth edition
IE, but it can't work in the fifth edition IE. Why? |
| We should use the Passive mode of FTP
for firewall NAT. If the configuration is set display by local
harddisk in IE5, it must be chosen the Active mode, but the Passive
mode should be chosen if it is
set to display by web pages.
^Top |
| 1.3. I want to hide
my address with dynamic NAT. Can I use those private IP addresses?
|
| You can use the private IP addresses
which spans the following three IP addresses ranges:
10.0.0.0-10.255.255.255(16,000,000 addresses)
172.16.0.0-172.31.255.255(16 x 65536 addresses)
192.168.0.0-192.168.255.255(256 x 256 addresses)
Some rumors claim that the other IP addresses may also be used.
It is not reasonable. We can only use those IP addresses which are
listed above, or the unthinkable problems may be encountered.
^Top |
| 1.4. What will happen
if we use the public IP addresses in the protected network?
|
| If it is lucky, no troubles will happen.
Because most users choose dynamic NAT to the protected
networks, therefore the returned data flow always back to the firewalls
and will be stored and sent
to the protected networks. But we also should consider that what
will happen if we use the others'
addresses and attempt to communicate with the network. The result
is: the sending data flow can't
reach the expected addresses; on the contraray, it will return to
your own network.
^Top |
| 1.5. When I scaned
the access server ports from external with port scanning tools, I
found out the UDP ports were open in a certain random range. And all
those open ports would be changed under each operation of the scanning
tools. What the matter with it? |
The port scanning tools absolutely can not confirm if the appointed
UDP port is open in the protected
client. It can only send one or more packets to one client but
if the packets reach the client is just
another thing. Many port scanning tools can monitor ICMP Destination
Unreachable packets. If it is
rejected which accords with the Reject rule, the firewall will
send back an ICMP Destination
Unreachable packet. But, the number of packets in every second
is limited. The specific data is
ruled in the firewall configurations. If the speed rate of the
rejected packets is much bigger, it is
absolutely dropped and the firewalls will not response the more
ICMP Destiniatoin Unreachable. The
packets which accord with Drop rule will never send back ICMP
Destination Unrachable
information. The scanning programmes will never accepte any similar
message if it is because of the
above reasons and it is wrongly regarded as open ports. For figuring
out the real data flow which
get through the firewalls, we could connect to "Sniffer"---an
analysis tool for displaying all
packets content in the entire network. With the port scanning
tool, you can send a group of packets
to the ports of your interested IP addresses, see if there is
packet is getting through the firewall
^Top
|
| 1.6. Many firewalls
will allow all packets get through in a short time of boot before
firewalls uploading. Do Amaranten firewalls also meet this kind of
problem? |
| No. This kind of problems only occur
the operating systems which have TCP/IP protocol stacks. There is
no this kind of problems because all the functions include rules
can use when Amaranten firewall core
is booting up.
^Top |
| 1.7. What does it
mean that the parameters /0, /24, and /32 in the firewall configuration
file? |
| They are network mask codes of Classless
Inter Domain Routing. Please check the related documents
for the detailed demonstration.
^Top |
|
|
| Yes. Four methods can be used:
- You can put mail transmitter in DMZ and access it on the Internet.
It will be the safest if allowing the transmitter communicates
with internal mail servers via SMTP. The mail transmitter can
also scan virus and impletment other security ways.
- If there is only one private IP address inside the mail server,
then you can set a SAT rule in the firewall for transmitting the
data flow to the port 25 of outside IP address to the port 25
of
inside IP address in the mail server. Make sure to add a relevant
--- Allow, which allows the
dat flow get through the firewalls.
- If there is a public IP address in the mail server, the SMTP
data flow can easily get through and reach the port 25.
- If there is no public IP addresses in the mail server and the
users don't want to use stateful
addresses translation, you can choose an IP address from the external
network sites and add
it to the mail server's network configuration. This procedure
requires adding one routing for the
leased IP address and activates the routing proxy ARP of the leased
address from the
interface. The data flow will get through the above indicated address.
^Top
|
| 2. Questions about Configuration |
| 2.1. SAT can
not work normally, so what's the problem? |
The common mistakes when set the SAT rules:
- As forgetting a reality that SAT rule itself has no any effects
to packets. When the packets
accord with the SAT rule, the firewalls will translate the stateful
addresses and continuously
search for the accordant FwdFast, Allow, NAT, Drop and Reject
rules. The reason is that
it will need to set a single SAT rule even though there are two
or more interfaces. For
example, if the DMZ is set on the third interface, it may need
to set rules for the data flows
for the external network (it is always Allow) and the protected
network (it is always NAT).
- For FwdFast, it also needs to set rules for the returned data
flow. Therefore, it requires two
set of SAT rules, each set for each group of data flow.
- The statful address translation will happen unless meet to the
FwdFast, Allow and NAT rules.
This means the SAT rule (it will translate the target address
1.1.1.1 to 2.2.2.2) must
have a relevant FwdFast or NAT rule (its target address is 1.1.1.1,
not 2.2.2.2).
^Top
|
| 3. Questions about Log
|
3.1. We can just
find the present events but not including the past events when I choose
Show Log in the firewall manager. Is it a failure of sysLog? |
| If you choose Show Log in the firewall
manger, the real-timelog files will jump out. You must check
Amaranten firewall Logger or system log receptor for the past log
files if you want to see the past
events. The detailed reference is available in the chapter about
firewall log files in "The Uer's Guide
--- Amaranten F seiries Firewall".
^Top |
| 3.2. The firewall
log tool or the syslog is empty. |
| You must clearly appoint firewalls
sending the log files to the syslog host. It will be completed in
the
syslog host. The configuration allows 8 firewalls sending syslog
files to it at most. The detailed
reference is available in the chapter about firewall log files in
" The Uer's Guide --- Amaranten F
seiries Firewall ".
^Top |
| |
| |
| |
