[c-nsp] ACL Filtering for Passive FTP Server..
Howard Leadmon
howard at leadmon.net
Thu Dec 13 03:43:06 EST 2007
OK, I figure I'll toss this out, as looking around I keep seeing configs for
the client end of Passive FTP, so that you can use CBAC or reflexive lists for
FTP access. Actually I think Active FTP is straight forward, just allow ports
20 and 21 and life goes on.
My question comes up with doing Passive FTP. I know I can just allow ports
greater than 1023 to hit the server and then passive operation will work. Is
there any easy way to do this without opening ALL of my TCP ports above 1023?
I was thinking of using CBAC, but I am either doing something wrong, or it's
really designed to inspect the data from the clients side to perform it's
dynamic adjustments, not from the server side. As any attempts I made seemed
to blow up.
Oh one last twist, whatever I use needs to be applied to a Vlan subinterface,
as I just want to apply it to say GigabitEthernet0/1.18 that feeds only the
port that FTP server is off of on the switch, as I don't want ACL's on the
high bandwidth inbound GE ports coming at the router. So want something that
can be applied on the sub-interface out to that specific server.
Hopefully the above made sense, I probably shouldn't be debugging stuff like
this at 4am in the morning.. LOL
---
Howard Leadmon
More information about the cisco-nsp
mailing list