|3||11||Destination Network Unreachable for Type of Service|
|3||12||Destination Host Unreachable for Type of Service|
|3||13||Communication Administratively Prohibited|
|3||14||Host Precedence Violation|
|3||15||Precedence cutoff in effect|
When analyzing network traces, sessions, or logs, you’ll see the following codes used within HTTP transactions. Knowing what they mean can be very helpful in figuring out what is happening. When you get a call that the intarweb is broken, ask them to tell you the little number that is on the web page…then wow them with your knowledge.
|401.2||Unauthorised:login failed due to server misconfiguration|
|401.3||Unauthorized:Unauthorized due to ACL on resource|
|401.4||Unauthorized:Authorization failed by filter|
|401.5||Unauthorized:Authorization failed by ISAPI/CGIapp|
|403.1||Forbidden:Execute Access Forbidden|
|403.2||Forbidden:Read Access Forbidden|
|403.3||Forbidden:Write Access Forbidden|
|403.5||Forbidden:SSL 128 required|
|403.6||Forbidden:IP address rejected|
|403.7||Forbidden:Client certificate required|
|403.8||Forbidden:Site access denied|
|403.9||Access Forbidden:Too many users are connected|
|403.10||Access Forbidden:Invalid Configuration|
|403.11||Access Forbidden:Password Change|
|403.12||Access Forbidden:Mapper Denied Access|
|403.13||Client certificate revoked|
|403.14||Directory listing denied|
|403.15||Client Access Licenses exceeded|
|403.16||Client certificate untrusted or invalid|
|403.17||Client certificate has expired or is not yet valid|
|404||Requested resource not found|
|404.1||Web site not found|
|405||Method not allowed|
|407||Proxy authentication required|
|413||Request entity too large|
|414||Request url too large|
|415||Unsupported media type|
|416||Requested Range Not Satisfiable|
|500.13||Server too busy|
|500.15||Requests for Global.asa not allowed|
|503||Out of resources|
|505||HTTP version not supported|
When analyzing network traces, sessions, or logs, you’ll see the following codes used within FTP transactions. Knowing what they mean can be very helpful in figuring out what is happening.
|110||Restart marker reply|
|120||Service ready in (n) minutes|
|125||Data connection already open, transfer starting|
|150||File status okay, about to open data connection|
|202||Command not implemented|
|211||System status, or system help reply|
|215||NAME system type|
|220||Service ready for new user|
|221||Service closing control connection|
|225||Data connection open, no transfer in progress|
|226||Closing data connection. Requested file action successful|
|227||Entering Passive Mode|
|230||User logged in, proceed|
|250||Requested file action okay, completed|
|331||Username okay, need password|
|332||Need account for login|
|350||Requested file action pending further information|
|421||Service not available, closing control connection|
|425||Can’t open data connection|
|426||Connection closed, transfer aborted|
|450||Requested file action not taken. File unavailable (e.g., file busy)|
|451||Requested action aborted, local error in processing|
|452||Requested action not taken. Insufficient storage space in system|
|500||Syntax error, command unrecognized|
|501||Syntax error in parameters or arguments|
|502||Command not implemented|
|503||Bad sequence of commands|
|504||Command not implemented for that parameter|
|530||User not logged in|
|532||Need account for storing files|
|550||Requested action not taken. File unavailable-or-I/O Error: Socket Closed|
|552||Requested file action aborted, storage allocation exceeded|
|553||Requested action not taken. Illegal file name|
So the other day, I found myself involved in two different attempts to fix the same problem, which had apparently been an issue for over a year for these guys. They both wanted to use FTP to move files from a host on one segment, to an FTP server on another segment. Sounds simple, right? Well if it was, I wouldn’t be writing this article, would I?
-Two hosts need to communicate with one another using FTP
-across a firewall
-NAT is in place
-the FTP server is using the non-standard port 1959
First, a review of FTP is in order. The current RFC for FTP is 959. Note that FTP commands embed network addressing within the Application layer of the protocol each time a PORT command (amongst others) is issued. The client embeds its IP address in the command, as so.
Note that the address is represented as padded, comma separated octets. The FTP server uses that information to open a connection back to the client for the data transfer. In this instance, the FTP client is on one network segment, the FTP server is on another, and there is a firewall between them. In the stream, the client’s network traffic is translated by the firewall so that it appears to be at the desired address, even though it is located on another network. This is transparent to both hosts, and to the user. Unfortunately, the FTP server cannot access the FTP client at the real ip.addr (10.1.1.24) because the NAT represents the FTP client as having ip.addr 10.3.1.24.
While Network Address Translation is frequently used, there are limitations to what it can do. The normal NAT process can only alter ip.addrs at the Network layer, and port numbers at the Transport layer. For many protocols, this is sufficient to permit the use of NAT, and to do so in a way that is transparent to the user, the hosts, and the application protocol(s) in use. There are however certain protocols that embed the ip.addr and/or port within the Application layer, as FTP does in its port commands. NAT does not inspect the Application layer, so when the destination host receives traffic with one set of addressing at the Network and/or Transport layer, and another set of addressing at the Application layer, problems will occur. This will break RPC traffic completely. For other traffic, there is the fixup command.
PIX firewalls have a feature called fixup which is enabled by default for many protocols on default (IANA assigned) ports. In the firewall configuration, this command is present.
Fixup does several things, but in this case we are most interested in its ability to basically perform NAT functions at the Application layer. Fixup can substitute the NAT address for the real one in the PORT commands transparently, neatly fixing the problem. Of course, if the FTP service had been bound to the default port, this would not have been a problem to begin with. The necessary action on the firewall is to add this command.
fixup protocol ftp 1959
- Whenever possible, stick with default ports.
- When using NAT, evaluate the protocols in use for whether or not they play nicely with NAT.
- Use the fixup protocol command to inspect the application layer and make relevant corrections.
- Remember that not all protocols can be fixed up!
here endeth the lesson 😉