From: Jonathan Hays (jhays@xxxxxxxx)
Date: Mon May 13 2002 - 15:15:36 GMT-3
Hi,
Whether or not "eq ftp-data" is not necessary depends on what you are
trying to accomplish. (Since all of us don't have the book (I don't
believe it is a requirement of this mailing list <g>) it would be
helpful to post the goal of that configuration.)
The access list as given will allow clients to access an ftp server on
the Cisco LAN in PASSIVE mode only. It will not allow ACTIVE mode access
to the server.
Here's why - in detail.
I assume that "access-group allow-ftp-in IN" is configured on the
interface, applying the access list to incoming packets from ftp clients
on 132.31.5.16/28 who are trying to access the ftp server on
(150.10.1.10) on the LAN connected to the Cisco router. Let's use
132.31.5.17 as the client.
Ftp works differently depending on whether the user's ftp client is
doing ACTIVE ftp (this is usually what is done at the command prompt) or
PASSIVE ftp (normal mode for web browsers).
ACTIVE FTP
Step 1. The ftp client (132.31.5.17) executes an ftp OPEN from a TCP
port gt 1023 (known as an "ephemeral" port) to 150.10.1.10 TCP port 21
by sending a SYN. Here I arbitrarily use TCP port 1427 as the client
source port. A packet arrives on the router interface that looks like
this:
Source: 132.31.6.17 port 1427 - SYN
Destination: 150.10.1.10 port 21 (Cisco keyword "ftp")
The first access list line will let that packet through to the ftp
server. Since no ports are specified for the source address then all
ports are permitted.
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp
Since we do not need the "established" keyword we really don't care
about the SYN or RST bits, but I include the SYN above to remind us of
the state of the TCP 3-way handshake.
Step 2. The ftp server responds with SYN+ACK but we are not filtering
outgoing packets from our router - no problem here but here's the
address/port pair for reference:
Source: 150.10.1.10 port 21
Destination: 132.31.6.17 port 1427 - SYN+ACK
Step 3. Next, the ftp client sends an ACK to 150.10.1.10 TCP port 21;
Source: 132.31.6.17 port 1427 - ACK
Destination: 150.10.1.10 port 21
Again this matches the first ACL entry and we have a TCP connection
established. Any ftp commands issued from the client that do NOT require
a data connection will be permitted through the access list. We could
have been a bit more specific by adding a restriction for the client's
ephemeral port number ( gt 1023) with:
permit tcp 132.31.5.16 0.0.0.15 gt 1023 host 150.10.1.10 eq ftp
but a restriction like this doesn't buy us much - it just helps remind
us of what we are doing when we come back a year later for maintenance
work on the access list.
Step 4. Next, the user types an ftp command that requires the data
channel, such as "ftp> get file" or "ftp> dir (a directory listing DOES
require the data channel). Before the data connection can be opened the
ftp client must issue a PORT command.
This PORT command is sent to the ftp server on the control channel
(we're still on port 21) telling the server to open an ftp data channel
to a specific client ephemeral port number (gt 1023). This port number
is included in the PORT command packet to the server. A shorter way of
saying this is the client says "hey ftp server, open a data channel to
my client using port xxxx."
What I described above is ACTIVE mode. In PASSIVE mode the client won't
allow the server to open any connections, but we'll get to that below.
Let's say the client PORT command says "use port 1428 for the data
channel."
Source: 132.31.6.17 port 1427 - PORT ("use port 1428")
Destination: 150.10.1.10 port 21
Step 5. So the ftp server (150.10.1.10) issues a TCP open (SYN) from
TCP port 20 to the client (132.31.5.17) TCP port 1428. Again, no access
list is needed for this since it is outgoing from our LAN.
Source: 150.10.1.10 port 20
Destination: 132.31.6.17 port 1428 - SYN
Step 6. The client replies with a SYN+ACK
Source: 132.31.6.17 port 1428
Destination: 150.10.1.10 port 20 SYN+ACK
Do we need an acess list entry for this? Yes we do. Here' a packet
addressed to TCP port 20 on our ftp server. But the second access-list
statement you copied from the Cisco book will NOT allow this packet to
pass since the destination port number must be greater than 1023:
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023
ACTIVE ftp packets destined to the ftp server TCP port 20 will be denied
and dropped. This access list is good for PASSIVE ftp but fails to allow
ACTIVE ftp sessions to the ftp server.
To allow ACTIVE ftp sessions the correct access list entry would be:
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp-data
where the "ftp-data" keyword is equivalent to "20" (TCP port 20).
= = = = = =
So how does this PASSIVE mode work?
In Step 4 above, the ftp client issues the "PASV" command which tells
the ftp server that the client is using PASSIVE mode. It also tells the
server to give the client a particular ephemeral port number so that it
(the client) can open the data channel connection. In PASSIVE mode the
client will not allow the server to perform a TCP open to the client.
The client tells the server "hey server, give me a port number so I can
open a data channel connection."
Source: 132.31.6.17 port 1427 - PASV (what port?)
Destination: 150.10.1.10 port 21
Note that the client's packet is still addressed to the control channel
port number, so the first access list permits this packet.
Step 5. In PASSIVE mode the ftp server replies with an ephemeral port.
Let's use 3654.
Source: 150.10.1.10 port 21 - use port 3654
Destination: 132.31.6.17 port 1427
This is outgoing from our router - no ACL needed.
Step 6. The client issues a TCP open to TCP port 3654 on the ftp server,
to open the ftp data channel. The client may or may not use a different
ephemeral source port for the data connection, depending on the
implementation. This is a side issue that does not affect our access
list study, but just to avoid confusion, I'll use 1428 for the client's
ftp data channel TCP port number.
Source: 132.31.6.17 port 1428 - SYN
Destination: 150.10.1.10 port 3654
Do we need an access list entry for this incoming packet? Yes we do.
This time the second access-list statement you copied from the Cisco
book WILL allow this packet and all subsequent packets addressed to TCP
port 3654 to pass:
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023
We need go no further with the steps to know that all PASSIVE ftp
traffic will pass on this TCP connection.
HTH,
Jonathan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
li jian hua
Sent: Monday, May 13, 2002 12:16 AM
To: ccielab@groupstudy.com
Subject: use access-list to control ftp
Hi group,
Page 1025 of CCIE practical studies uses the following to control Ftp:
ip access-list extended allow-ftp-in
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023
And the page says using "eg ftp-data" is wrong.
Please confirm.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:55 GMT-3