From: Connary, Julie Ann (jconnary@xxxxxxxxx)
Date: Fri Jan 12 2001 - 11:35:40 GMT-3
Hi All,
most of the labs I have been working - the solutions only use
ftp in their access-lists to permit ftp. They do not permit the ftp-data. Same
when doing custom queue-lists:
access-list 101 permit ip any any eq ftp
queue-list 1 protocol ip 1 tcp ftp
I understand if you are going to deny ftp, then deny the control session is
enough.
But why does permit lists never permit the ftp-data. Am I missing something
here in the evolution of FTP?
And when you do a help in IOS it says that ftp-data is infrequently used:
r5(config)#access-list 105 permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
Am I missing something here in the evolution of FTP?
Julie Ann
------------------------------------------------------------------------
Julie Ann Connary
| | Network Consulting Engineer
||| ||| Federal Support Program
.|||||. .|||||. 13635 Dulles Technology Drive,
Herndon VA 20171
.:|||||||||:.:|||||||||:. Pager: 1-888-642-0551
c i s c o S y s t e m s Email: jconnary@cisco.com
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:28 GMT-3