[c-nsp] ACL Filtering for Passive FTP Server..
John Kougoulos
koug at intracom.gr
Thu Dec 13 05:54:23 EST 2007
if you use cbac you need to permit only port 21. The rest will be handled
by cbac. if you use extended only acls (no reflexive, no cbac) you need to
permit a lot more:
example:
active (port)
outacl (to server)
client gt 1023 -> server eq 21
client gt 1023 -> server eq 20 established
(assuming that the server uses always port 20 for the ftp-data
connections)
inacl (from server)
server eq 21 -> client gt 1023 established
server eq 20 -> client gt 1023
passive
outacl (to server)
client gt 1023 -> server eq 21
client gt 1023 -> server gt 1023
(unless you have a smart ftp server where you can specify the range of
ports used in passive mode)
inacl
server eq 21 -> client gt 1023 established
server gt 1023 -> client gt 1023 established
regards,
john
On Thu, 13 Dec 2007, Howard Leadmon wrote:
>
> OK, I figure I'll toss this out, as looking around I keep seeing configs for
> the client end of Passive FTP, so that you can use CBAC or reflexive lists for
> FTP access. Actually I think Active FTP is straight forward, just allow ports
> 20 and 21 and life goes on.
More information about the cisco-nsp
mailing list