From: Keane, James (James.Keane@agriculture.gov.ie)
Date: Tue Jun 21 2005 - 08:18:35 GMT-3
Yeap you are spot on, its an old version,
just another morning stupid attack on my behalf.
Thanks
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: 21 June 2005 12:16
To: Keane, James; 'John Matus'; ccielab@groupstudy.com
Subject: RE: filtering active mode vs. passive mode ftp
James,
You must not be using the right version of IOS. More recent versions
include the drop command under policy-map.
I suppose you can also use the police command and also drop all traffic but
that's less intuitive and much less direct than simply using the drop
command.
HTH, Tim
-----Original Message-----
From: Keane, James [mailto:James.Keane@agriculture.gov.ie]
Sent: Tuesday, June 21, 2005 6:54 AM
To: ccie2be; John Matus; ccielab@groupstudy.com
Subject: RE: filtering active mode vs. passive mode ftp
Ok I understand how you are matching ftp using nbar .. but how are you
filtering it ?
with a service policy ?
I cant see anything in the policy map helping much
bandwidth Bandwidth
exit Exit from QoS class action configuration mode
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
shape Traffic Shaping
police Police
set Set QoS values
Care to shed some light, I suppose I am barking up the wrong tree as per
usual !
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: 20 June 2005 22:32
To: 'John Matus'; ccielab@groupstudy.com
Subject: RE: filtering active mode vs. passive mode ftp
Hey John,
Recently (within the past 2 or 3 weeks), I went over this issue with Bob
Sinclair.
For both active and passive, you can use nbar ie match prot ftp.
If you want to use an acl for active, you can use "eq ftp" and "eq
ftp-data".
For passive FTP, you're out of luck suing an acl for the data connection.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of John
Matus
Sent: Monday, June 20, 2005 5:16 PM
To: ccielab@groupstudy.com
Subject: filtering active mode vs. passive mode ftp
i'm a bit confused how you would filter active ftp vs. passive ftp. both
sessions initate on the servers port 21 so i can see how you could filter
with w/:
access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp
but when you get to the data part of the session it seems that you would
only be able to block active mode ftp with:
access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp-data where the port
is 20. is this correct? is there another way to block passive mode ftp?
i suppose you could just block port 21 in either scenarion and that would
stop the command portion of the session so the data would be a mute point.
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3