From: Johnson, Charles (Charles.Johnson@xxxxxxxxxx)
Date: Wed Oct 18 2000 - 07:51:51 GMT-3
If the client supports passive-ftp, it is easy: allow both ports out from the c
lient and tcp-established in to the client ( or allow both ports FROM the serve
r)
Classic ftp is not that simple. 1) allow traffic from the client TO port 21 on
the server (cisco calls port 21 "ftp") and, of course, allow the established pa
ckets back TO the client. If you don't like the established key word, you can
allow traffic FROM port 21 on the server TO the client. 2) allow traffic FROM
port 20 on the server (cisco cals port 20 ftp-data) to the client. and, of cour
se, allow the establish packets from the client to get to port 20 (ftp-data) at
the server.
So, the answer to your simple question below is yes.
-----Original Message-----
From: z z [mailto:ccie_99@yahoo.com]
Sent: Tuesday, October 17, 2000 9:59 PM
To: ccielab@groupstudy.com
Subject: simple access-list question
a simple question. just do not have pc to test it:
> if asked to configure access-list for ftp.
> shall we consider both the ftp-program and ftp-data?
>
> if yes, shall we put the ftp-program (as the
> destination tcp port) on the outbound, and put the
> ftp-data (also destination tcp port?) on the
inbound?
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:27 GMT-3