RE: simple access-list question

From: Johnson, Charles (Charles.Johnson@xxxxxxxxxx)
Date: Wed Oct 18 2000 - 11:25:08 GMT-3

• Next message: Christopher M. Heffner: "RE: Async dialer maps"
• Previous message: Foster, Kristopher: "RE: BGP filtering"
• Maybe in reply to: z z: "simple access-list question"
• Next in thread: Dennis Hartmann: "RE: simple access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
A client opens a TCP connection to port 21 on the ftp server and uses it to log
 in. To move a file (a list of a directory or a get/put of a file), another TC
P connection is needed. That second TCP connection is initiated FROM the serve
r with a source port of 20 (ftp-data) TO a high port on the client. So, yes bo
th well known ports 21 & 20 are used on the server end and the client uses two
or more random high ports. I say more than two ports because that second TCP c
onnection is not always persistent. If you transfer three different files, you
 might get three different TCP connections, all from port 20 on there server, b
ut each to a different port on the client.

So, the answer to this simple question is also "yes".

Charles

-----Original Message-----
From: z z [mailto:ccie_99@yahoo.com]
Sent: Wednesday, October 18, 2000 8:08 AM
To: ccielab@groupstudy.com
Subject: RE: simple access-list question

Hi Johnson

in case two you mean both the ftp-program and ftp-data
ports are on the server?
I thought ftp-data port is on the client.

thanks

-----Original Message-----
From: Johnson, Charles
To: 'z z'; ccielab@groupstudy.com
Sent: 18/10/2000 6:51 PM
Subject: RE: simple access-list question

If the client supports passive-ftp, it is easy: allow
both ports out
from the client and tcp-established in to the client (
or allow both
ports FROM the server)

Classic ftp is not that simple. 1) allow traffic from
the client TO port
21 on the server (cisco calls port 21 "ftp") and, of
course, allow the
established packets back TO the client. If you don't
like the
established key word, you can allow traffic FROM port
21 on the server
TO the client. 2) allow traffic FROM port 20 on the
server (cisco cals
port 20 ftp-data) to the client. and, of course, allow
the establish
packets from the client to get to port 20 (ftp-data)
at the server.

So, the answer to your simple question below is yes.

-----Original Message-----
From: z z [mailto:ccie_99@yahoo.com]
Sent: Tuesday, October 17, 2000 9:59 PM
To: ccielab@groupstudy.com
Subject: simple access-list question

a simple question. just do not have pc to test it:
> if asked to configure access-list for ftp.
> shall we consider both the ftp-program and ftp-data?
>
> if yes, shall we put the ftp-program (as the
> destination tcp port) on the outbound, and put the
> ftp-data (also destination tcp port?) on the
inbound?

• Next message: Christopher M. Heffner: "RE: Async dialer maps"
• Previous message: Foster, Kristopher: "RE: BGP filtering"
• Maybe in reply to: z z: "simple access-list question"
• Next in thread: Dennis Hartmann: "RE: simple access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:27 GMT-3