[isp-security] Port Filtering for FTP Server

Jim McAtee Mon, 14 Oct 2002 09:52:43 -0700

I'm implmenting port filtering on a Win2k server using built-in IPSEC policies.
I'm having a bit of a time figuring out how to permit PASV FTP.  My FTP rules
are pretty simple (so far).  Assuming the server is at IP 123.123.1:



Source (IP:Port)     Destination (IP:Port)  Action
------------------   --------------------   -------------
Any:Any              123.123.123.1:21       Pass
123.123.123.1:21     Any:Any                Pass
123.123.123.1:20     Any:Any                Pass


The rules are set up with a default deny rule - anything not explicitly passed
is blocked.  The server is not behind any other firewall or NAT'ing router, and
is using a public IP address.  If I'm not mistaken, the above will permit active
FTP connections to/from an FTP client (by permitting port 20 outbound).  The
problem that I'm having, I believe, is with FTP clients that must establish PASV
connections due to their own firewalling.

My understanding is that with PASV FTP, the server tells the client which data
port to establish a connection on (rather than initiating the connection from
port 20).  So the client then attempts an incoming connection for the data
channel on this randomly chosen port.  Any clues how to deal with this?

Jim


____________  The ISP-SECURITY Discussion List  ____________
To Join: mailto:[EMAIL PROTECTED]
To Remove: mailto:[EMAIL PROTECTED]
Archives: http://isp-lists.isp-planet.com/isp-security/archives/
To Remove: mailto:[EMAIL PROTECTED]

[isp-security] Port Filtering for FTP Server

Reply via email to