RE: filtering active mode vs. passive mode ftp

From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Jun 20 2005 - 19:10:22 GMT-3

• Next message: John Matus: "ip event dampening"
• Previous message: John Matus: "RE: filtering active mode vs. passive mode ftp"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: John Matus: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

Good point.

I would say that if you're denying FTP, then denying just the control is
sufficient in the sense that a file transfer won't take place without the
control channel being opened. But, you would probably want to drop the
traffic coming in the data channel at the router rather than have the FTP
server drop it.

But, what if you're allowing ftp. In that case, I think you need both the
control and the data channels.

HTH, Tim

-----Original Message-----
From: John Matus [mailto:john_matus@hotmail.com]
Sent: Monday, June 20, 2005 6:01 PM
To: ccie2be@nyc.rr.com; ccielab@groupstudy.com
Subject: RE: filtering active mode vs. passive mode ftp

what would be the advantage of issuing only ftp-data? it you you've blocked

ftp @ port 21 then there server can never open up port 20 for the
data.......

>From: "ccie2be" <ccie2be@nyc.rr.com>
>To: "'John Matus'" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>Subject: RE: filtering active mode vs. passive mode ftp
>Date: Mon, 20 Jun 2005 17:31:55 -0400
>
>Hey John,
>
>Recently (within the past 2 or 3 weeks), I went over this issue with Bob
>Sinclair.
>
>For both active and passive, you can use nbar ie match prot ftp.
>
>If you want to use an acl for active, you can use "eq ftp" and "eq
>ftp-data".
>
>For passive FTP, you're out of luck suing an acl for the data connection.
>
>HTH, Tim
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>John
>Matus
>Sent: Monday, June 20, 2005 5:16 PM
>To: ccielab@groupstudy.com
>Subject: filtering active mode vs. passive mode ftp
>
>i'm a bit confused how you would filter active ftp vs. passive ftp. both
>sessions initate on the servers port 21 so i can see how you could filter
>with w/:
>
>access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp
>
>but when you get to the data part of the session it seems that you would
>only be able to block active mode ftp with:
>
>access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp-data where the port
>is 20. is this correct? is there another way to block passive mode ftp?
>
>i suppose you could just block port 21 in either scenarion and that would
>stop the command portion of the session so the data would be a mute point.
>
>_________________________________________________________________
>Dont just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

• Next message: John Matus: "ip event dampening"
• Previous message: John Matus: "RE: filtering active mode vs. passive mode ftp"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: John Matus: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3