Re: ACL for FTP

From: Alec (clapun@graduate.hku.hk)
Date: Mon Aug 25 2003 - 13:00:59 GMT-3

• Next message: Ken.Farrington@barclayscapital.com: "RE: Windows OS Issues (trying to test NetBeui for DLSW)"
• Previous message: wwwjjang@chol.com: "ISDN's Dialer-map Question..."
• Maybe in reply to: Alec: "ACL for FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

let me give a try, please comment.

Active FTP
Client outbound ACLs:
  permit host lan-IP gt 1023 serv-IP eq 21
  permit host lan-IP gt 1023 serv-IP eq 20 established
Server outbound ACLs
  permit host serv-IP eq 21 lan-IP gt 1023 established
  permit host serv-IP eq 20 lan-IP gt 1023

Passive FTP
Client outbound ACLs:
  permit host lan-IP gt 1023 serv-IP eq 21
  permit host lan-IP gt 1023 serv-IP gt 1023
Server outbound ACLs
  permit host serv-IP eq 21 lan-IP gt 1023 established
  permit host serv-IP gt 1023 lan-IP gt 1023 established

regards,
alec

----- Original Message -----
From: "Jonathan V Hays" <jhays@jtan.com>
To: "'Alec'" <clapun@graduate.hku.hk>; "'Ccielab@Groupstudy. Com'"
<ccielab@groupstudy.com>
Sent: Monday, August 25, 2003 12:58 AM
Subject: RE: ACL for FTP

> Summary of FTP Connections
>
> Active FTP:
> ===========
> CLIENT
> Control Channel:
> Client TCP Port: gt 1023
> Initiates TCP connection to server
> Data Channel:
> Client TCP Port: gt 1023
> Sends PORT cmd to server (e.g.,"use port 1428")
> Client inbound ACLs:
> permit host serv-IP eq 21 lan-IP gt 1023 established
> permit host serv-IP eq 20 lan-IP gt 1023
>
> SERVER
> Control Channel:
> server TCP Port:21
> Data Channel:
> server TCP Port:20
> Initiates TCP connection to client port (e.g., port 1428 )
> server Inbound ACLs:
> permit lan-IP gt 1023 host serv-IP eq 21
> permit lan-IP gt 1023 host serv-IP eq 20 established
>
> Passive FTP:
> ============
> CLIENT
> Control Channel: (same as Active FTP)
> Client TCP Port: gt 1023
> Initiates TCP connection to server
> Data Channel:
> Client TCP Port: gt 1023
> Sends PASV cmd to server (e.g.,"what port should I use?")
> After it gets the port number, the client initiates TCP connection to
> server
> Client inbound ACLs:
> permit host serv-IP eq 21 lan-IP gt 1023 established
> permit host serv-IP gt 1024 lan-IP gt 1023 established
>
> SERVER
> Control Channel: (same as Active FTP)
> server TCP Port:21
> Data Channel:
> server TCP Port: gt 1023
> replies with port to use (e.g., "use port 3654")
> server Inbound ACLs:
> permit lan-IP gt 1023 host serv-IP eq 21
> permit lan-IP gt 1023 host serv-IP gt 1023
>
>
> The ACLs shown can be loosened up if desired.
> As an exercise, write the ACLs on both client and server for OUTBOUND
> traffic.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Alec
> Sent: Sunday, August 24, 2003 11:40 AM
> To: 'Ccielab@Groupstudy. Com'
> Subject: ACL for FTP
>
>
> Hi group,
>
> To restrict FTP traffic, besides port 21, do I need to explicitly allow
> other port range for FTP DATA streams ?
>
> access-list 101 permit tcp any any eq eq ftp
> access-list 101 permit tcp any any gt 1023 <=== required ?
> int e0
> ip access-group 101 in
>
> regards,
> alec
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ken.Farrington@barclayscapital.com: "RE: Windows OS Issues (trying to test NetBeui for DLSW)"
• Previous message: wwwjjang@chol.com: "ISDN's Dialer-map Question..."
• Maybe in reply to: Alec: "ACL for FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:06 GMT-3