From: Jonathan V Hays (jhays@jtan.com)
Date: Sun Aug 24 2003 - 13:58:22 GMT-3
Summary of FTP Connections
Active FTP:
===========
CLIENT
Control Channel:
Client TCP Port: gt 1023
Initiates TCP connection to server
Data Channel:
Client TCP Port: gt 1023
Sends PORT cmd to server (e.g.,"use port 1428")
Client inbound ACLs:
permit host serv-IP eq 21 lan-IP gt 1023 established
permit host serv-IP eq 20 lan-IP gt 1023
SERVER
Control Channel:
server TCP Port:21
Data Channel:
server TCP Port:20
Initiates TCP connection to client port (e.g., port 1428 )
server Inbound ACLs:
permit lan-IP gt 1023 host serv-IP eq 21
permit lan-IP gt 1023 host serv-IP eq 20 established
Passive FTP:
============
CLIENT
Control Channel: (same as Active FTP)
Client TCP Port: gt 1023
Initiates TCP connection to server
Data Channel:
Client TCP Port: gt 1023
Sends PASV cmd to server (e.g.,"what port should I use?")
After it gets the port number, the client initiates TCP connection to
server
Client inbound ACLs:
permit host serv-IP eq 21 lan-IP gt 1023 established
permit host serv-IP gt 1024 lan-IP gt 1023 established
SERVER
Control Channel: (same as Active FTP)
server TCP Port:21
Data Channel:
server TCP Port: gt 1023
replies with port to use (e.g., "use port 3654")
server Inbound ACLs:
permit lan-IP gt 1023 host serv-IP eq 21
permit lan-IP gt 1023 host serv-IP gt 1023
The ACLs shown can be loosened up if desired.
As an exercise, write the ACLs on both client and server for OUTBOUND
traffic.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alec
Sent: Sunday, August 24, 2003 11:40 AM
To: 'Ccielab@Groupstudy. Com'
Subject: ACL for FTP
Hi group,
To restrict FTP traffic, besides port 21, do I need to explicitly allow
other port range for FTP DATA streams ?
access-list 101 permit tcp any any eq eq ftp
access-list 101 permit tcp any any gt 1023 <=== required ?
int e0
ip access-group 101 in
regards,
alec
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:05 GMT-3