Re: filtering active mode vs. passive mode ftp

From: John Matus (jmatus@pacbell.net)
Date: Tue Jun 21 2005 - 00:53:40 GMT-3

• Next message: John Matus: "Re: icmp - time-exceeded vs ttl-exceeded"
• Previous message: Scott Morris: "RE: ip multicast stub routing"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: Keane, James: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

does any one think that ip nbar protocol discover is worthy of being turned
on at the start of the lab, along with ip cef and what-not?

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "'John Matus'" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
Sent: Monday, June 20, 2005 2:31 PM
Subject: RE: filtering active mode vs. passive mode ftp

> Hey John,
>
> Recently (within the past 2 or 3 weeks), I went over this issue with Bob
> Sinclair.
>
> For both active and passive, you can use nbar ie match prot ftp.
>
> If you want to use an acl for active, you can use "eq ftp" and "eq
> ftp-data".
>
> For passive FTP, you're out of luck suing an acl for the data connection.
>
> HTH, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> John
> Matus
> Sent: Monday, June 20, 2005 5:16 PM
> To: ccielab@groupstudy.com
> Subject: filtering active mode vs. passive mode ftp
>
> i'm a bit confused how you would filter active ftp vs. passive ftp. both
> sessions initate on the servers port 21 so i can see how you could filter
> with w/:
>
> access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp
>
> but when you get to the data part of the session it seems that you would
> only be able to block active mode ftp with:
>
> access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp-data where the port
> is 20. is this correct? is there another way to block passive mode ftp?
>
> i suppose you could just block port 21 in either scenarion and that would
> stop the command portion of the session so the data would be a mute point.
>
> _________________________________________________________________
> Dont just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: John Matus: "Re: icmp - time-exceeded vs ttl-exceeded"
• Previous message: Scott Morris: "RE: ip multicast stub routing"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: Keane, James: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3