RE: Passive FTP Examples in Pratical Studies Vol. 2.

From: David Hurtado (dei2viccie@hotmail.com)
Date: Tue Mar 02 2004 - 08:21:53 GMT-3

• Next message: David Hurtado: "RE: Frame-Relay Inverse-Arp"
• Previous message: Alex Hsieh: "Re: Wan link backup"
• Maybe in reply to: David Hurtado: "RE: Passive FTP Examples in Pratical Studies Vol. 2."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Tyson,

From what i understand from the following link:

http://www.troubleshootingnetworks.com/ftpinfo.html

the client doesn't use port 20 neither port 21 in passive mode. So if you
have the client inside the interface, the server outside the interface and
you apply the ACL inbound, you don't have to allow port 20 or port 21 for
the client, because the client doesn't use them.

Please correct me if i'm wrong (i'm here to learn)

Thanks for the help

>From: "Scott, Tyson C" <tyson.scott@hp.com>
>Reply-To: "Scott, Tyson C" <tyson.scott@hp.com>
>To: "Adel Abushaev" <adel@netmasterclass.net>, "David Hurtado"
><deivi78@hotmail.com>, <nomad@gfoyle.org>, <kwchen@netvigator.com>,
><ccielab@groupstudy.com>
>Subject: RE: Passive FTP Examples in Pratical Studies Vol. 2.
>Date: Tue, 2 Mar 2004 00:01:38 -0600
>
>David,
>My bad. I was not thinking about which port I was talking about. It
>would need to be port 21. That is how it establishes the tcp connection
>so you would either have a reflexive access list to allow this in or use
>the established as below but not with port 20. Sorry. You will need it
>to establish port 21 between the two and then it, the client, negotiates
>some higher port than 1023. But yes it does use port 21. How would it
>ever know that it is creating an ftp session? The server would have to
>think any tcp connection above 1023 is an ftp session coming in without
>some basis to start from. Sorry for confusing the two ports.
>
>
>
>-----Original Message-----
>From: Adel Abushaev [mailto:adel@netmasterclass.net]
>Sent: Monday, March 01, 2004 9:04 PM
>To: Scott, Tyson C; David Hurtado; nomad@gfoyle.org;
>kwchen@netvigator.com; ccielab@groupstudy.com
>Subject: Re: Passive FTP Examples in Pratical Studies Vol. 2.
>
>Scott, et al,
>
>In passive mode when client is ready to send a file the following
>occurs:
>
>1. client sends PASV
>2. server responds 227 entering passive mode, followed by IP Address and
>port number on which server is listening for client
>to connect
>3. client sends STOR with file name
>4. server confirms it by answering 150 Opening [Binary|Ascii] mode data
>connection for filename
>... the actual transfer goes between client and server over negotiated
>ports
>5. client closes data stream and server acknowledges it by saying 226
>Transfer complete over command port.
>
>client will use next available port from kernel, server also does the
>same.
>you may verify it with "/usr/sbin/tcpdump -X -v -s 1500 tcp port 21" on
>unix, or with windump with the same parameters on windows platforms.
>
>HTH,
>
>Adel Abouchaev
>CCIE# 12037, MCSE
>http://www.netmasterclass.net
>
>----- Original Message -----
>From: "Scott, Tyson C" <tyson.scott@hp.com>
>To: "David Hurtado" <deivi78@hotmail.com>; <nomad@gfoyle.org>;
><kwchen@netvigator.com>; <ccielab@groupstudy.com>
>Sent: Monday, March 01, 2004 7:23 PM
>Subject: RE: Passive FTP Examples in Pratical Studies Vol. 2.
>
>
> > If it doesn't use port 20 how does it setup the FTP session?
> >
> >
> >
> > Regards,
> >
> >
> >
> > Tyson Scott
> >
> > Agilent Problem Management Team
> >
> > Managed Network Services
> >
> > Phone: 313-583-5812
> >
> > Pager: 877-997-0811
> >
> >
> >
> > -----Original Message-----
> > From: David Hurtado [mailto:deivi78@hotmail.com]
> > Sent: Monday, March 01, 2004 11:53 AM
> > To: Scott, Tyson C; nomad@gfoyle.org; kwchen@netvigator.com;
> > ccielab@groupstudy.com
> > Subject: RE: Passive FTP Examples in Pratical Studies Vol. 2.
> >
> >
> >
> > Hello everybody,
> >
> > I don't think that the following inbound ACL would be correct to allow
>the
> > communication between FTP passive client and server (supposing that
>the
>server
> > is outside the interface and its IP address is X.X.X.X)
> >
> > 1. permit tcp host x.x.x.x any ftp
> >
> > 2. permit tcp host x.x.x.x any gt 1023 established
> >
> > In FTP passive mode, the client never uses port 20 nor port 21, so the
>first
> > statement would be useless. Please, tell me if i'm wrong.
> >
> > Thanks for the help
> >
> >
> >
> >
> >
> >
> > >From: "Scott, Tyson C"
> >
> > >Reply-To: "Scott, Tyson C"
> >
> > >To: "Jonathan Hays" , "William Chen" ,
> >
> > >Subject: RE: Passive FTP Examples in Pratical Studies Vol. 2.
> >
> > >Date: Fri, 27 Feb 2004 08:11:16 -0600
> >
> > >
> >
> > >But if this was going the opposite way it would be correct but hosts
> >
> > >would need to be reversed in if this was an inbound list towards the
> >
> > >hosts. And it should not be ip tcp for sure it should just be tcp
> >
> > >
> >
> > >1. permit tcp host x.x.x.x any ftp
> >
> > >2. permit tcp host x.x.x.x any gt 1023 established
> >
> > >
> >
> > >Regards,
> >
> > >
> >
> > >Tyson Scott
> >
> > >Agilent Problem Management Team
> >
> > >Managed Network Services
> >
> > >Phone: 313-583-5812
> >
> > >Pager: 877-997-0811
> >
> > >
> >
> > >
> >
> > >-----Original Message-----
> >
> > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>Of
> >
> > >Jonathan Hays
> >
> > >Sent: Thursday, February 26, 2004 8:04 PM
> >
> > >To: 'William Chen'; ccielab@groupstudy.com
> >
> > >Subject: RE: Passive FTP Examples in Pratical Studies Vol. 2.
> >
> > >
> >
> > >you wrote:
> >
> > > >-----Original Message-----
> >
> > > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> >
> > > >Behalf Of William Chen
> >
> > > >Sent: Thursday, February 26, 2004 7:14 PM
> >
> > > >To: ccielab@groupstudy.com
> >
> > > >Subject: Passive FTP Examples in Pratical Studies Vol. 2.
> >
> > > >
> >
> > > >
> >
> > > >Dear all,
> >
> > > >
> >
> > > > In all the examples of passive FTP in the book of
> >
> > > >Ptractical Studies Vol.
> >
> > > >2. It states that to match the passive FTP traffic by ACL to a
> >
> > > >server, the
> >
> > > >ACL should be:
> >
> > > >
> >
> > > > 1. permit ip tcp any host x.x.x.x ftp
> >
> > > > 2. permit ip tcp any host x.x.x.x gt 1023 established
> >
> > > >
> >
> > > > I wonder why established is used in the statement 2, since
> >
> > > >in passive
> >
> > > >FTP, the data channel should be initiated by the client to
> >
> > > >server at a port
> >
> > > >greater than 1023.
> >
> > > >
> >
> > > >Best Regards,
> >
> > > >William Chen
> >
> > >= = =
> >
> > >The book is wrong. This is clearly a typo.
> >
> > >
> >
> > >Step 2 states "FTP clients will connect to the FTP server using
>passive
> >
> > >FTP sessions" but the solution (shown on both pages 421 and 423) is
>for
> >
> > >*active* FTP:
> >
> > >
> >
> > >access-list 103 permit tcp any host 10.54.148.15 eq ftp
> >
> > >access-list 103 permit tcp any host 10.54.148.15 gt 1023 established
> >
> > >
> >
> > >This ACL is applied to the Priority list on Cancun, outbound toward
>the
> >
> > >FTP server. The first ACL allows initiation of the FTP Control (port
>21)
> >
> > >TCP connection from the client to the server. In the second,
>erroneous
> >
> > >ACL the keyword "established" allows traffic that was initiated from
>the
> >
> > >server. This is incorrect since in passive FTP all TCP connections
>are
> >
> > >initiated by the client and this ACL is outbound toward the server.
>The
> >
> > >second ACL would be correct if the keyword "established" were removed
>so
> >
> > >we can allow client TCP SYN packets toward the FTP server.
> >
> > >
> >
> > >See Priscilla Oppenheimer's excellent treatment of the details of FTP
>at
> >
> > >
> >
> > >http://www.troubleshootingnetworks.com/ftpinfo.html
> >
> > >
> >
> > >Jonathan
> >
> > >
> >
> >
> >_______________________________________________________________________
> >
> > >Please help support GroupStudy by purchasing your study materials
>from:
> >
> > >http://shop.groupstudy.com
> >
> > >
> >
> > >Subscription information may be found at:
> >
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> > >
> >
> >
> >_______________________________________________________________________
> >
> > >Please help support GroupStudy by purchasing your study materials
>from:
> >
> > >http://shop.groupstudy.com
> >
> > >
> >
> > >Subscription information may be found at:
> >
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > ________________________________
> >
> > ?Vas a comprar algo a travis de Internet? Ordinalo por el mejor precio
>en
>MSN
> > Compras. <http://g.msn.com/8HMAESES/2749??PS=>
> >
> >
>_______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
>from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: David Hurtado: "RE: Frame-Relay Inverse-Arp"
• Previous message: Alex Hsieh: "Re: Wan link backup"
• Maybe in reply to: David Hurtado: "RE: Passive FTP Examples in Pratical Studies Vol. 2."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:12 GMT-3