RE: filtering active mode vs. passive mode ftp

From: John Matus (john_matus@hotmail.com)
Date: Mon Jun 20 2005 - 19:01:10 GMT-3

• Next message: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Previous message: chon_mon@nym.hush.com: "VPN timeout issues"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

what would be the advantage of issuing only ftp-data? it you you've blocked
ftp @ port 21 then there server can never open up port 20 for the
data.......

>From: "ccie2be" <ccie2be@nyc.rr.com>
>To: "'John Matus'" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>Subject: RE: filtering active mode vs. passive mode ftp
>Date: Mon, 20 Jun 2005 17:31:55 -0400
>
>Hey John,
>
>Recently (within the past 2 or 3 weeks), I went over this issue with Bob
>Sinclair.
>
>For both active and passive, you can use nbar ie match prot ftp.
>
>If you want to use an acl for active, you can use "eq ftp" and "eq
>ftp-data".
>
>For passive FTP, you're out of luck suing an acl for the data connection.
>
>HTH, Tim
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>John
>Matus
>Sent: Monday, June 20, 2005 5:16 PM
>To: ccielab@groupstudy.com
>Subject: filtering active mode vs. passive mode ftp
>
>i'm a bit confused how you would filter active ftp vs. passive ftp. both
>sessions initate on the servers port 21 so i can see how you could filter
>with w/:
>
>access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp
>
>but when you get to the data part of the session it seems that you would
>only be able to block active mode ftp with:
>
>access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp-data where the port
>is 20. is this correct? is there another way to block passive mode ftp?
>
>i suppose you could just block port 21 in either scenarion and that would
>stop the command portion of the session so the data would be a mute point.
>
>_________________________________________________________________
>Dont just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

• Next message: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Previous message: chon_mon@nym.hush.com: "VPN timeout issues"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3