From: Mas Kato (tealp729@xxxxxxxx)
Date: Wed May 09 2001 - 17:42:26 GMT-3
For passive-mode FTP, I believe the second line in the ACL should have
the source and destination ports reversed.
As I understand it, passive-mode works like this: The FTP client
initiates a control channel connection from a port > 1023 to the
server's FTP port (21) and then sends a PASV command. The server
responds with the port to use as a target for the data channel. The
client then initiates a data channel connection from port 20 (ftp-data)
to the port specified by the server.
Since both connections are initiated by the client, a reflexive ACL
would work.
The reason active-mode FTP breaks reflexive ACLs is: After the client
initiates the control channel connection, the client sends a PORT
command with the target port it wants the server to use. Since the
target port is embedded in the data, a reflexive ACL isn't built, so the
inbound data channel connection from the server to the target port
fails.
A basic firewall (say, CBAC) would snoop the PORT command on its way out
and reflexively build an inbound ACL for the data channel.
Regards,
Mas
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Shane Miles
Sent: Wednesday, May 09, 2001 6:52 AM
To: ccielab@groupstudy.com
Subject: RE: Access-list question
To cover yourself for passive mode wouldn't you need to add a second
line?
access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
eq
ftp
access-list 102 permit tcp host 10.10.10.1 eq ftp-data 199.200.1.0
0.0.0.255
gt 1023
-----Original Message-----
From: Mas Kato [mailto:tealp729@home.com]
Sent: Tuesday, May 08, 2001 12:28 AM
To: adiment@uswest.com; ccielab@groupstudy.com
Subject: RE: Access-list question
Unfortunately, reflexive ACLs break non-passive FTP and it also sounds
like he may be limited to an inbound ACL only (reflexive would require
both in and out).
Johnny,
The keyword 'established' looks for the ACK or RST flags in the TCP
header, so I don't think it would be appropriate in this case. Aside
from that, the ACL looks fine for restricting the initiation of FTP to
that single host on that one interface.
Regards,
Mas
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
adiment@uswest.com
Sent: Monday, May 07, 2001 2:46 PM
To: ccielab@groupstudy.com
Subject: RE: Access-list question
This would be a good one to use a reflexive access list.
-----Original Message-----
From: Johnny Dedon [mailto:johnny.dedon@exodus.net]
Sent: Monday, May 07, 2001 4:24 PM
To: Groupstudy
Subject: Access-list question
If I am asked to only permit ftp sessions if established from a local
subnet
and I must use an inbound access-list on that local interface, what woud
it
look like?
something like this?
access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
eq
ftp established
Remember the question is inbound on the local interface not inbound on
the
internet side.
Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:37 GMT-3