[isp-security] Re: Port Filtering for FTP Server

Mon, 14 Oct 2002 09:57:19 -0700 

Whoops.  Make those rules:

Source (IP:Port)     Destination (IP:Port)  Action
------------------   --------------------   -------------
Any:Any              123.123.123.1:21       Pass
123.123.123.1:21     Any:Any                Pass
123.123.123.1:20     Any:Any                Pass
Any:Any              123.123.123.1:20       Pass

Jim


----- Original Message -----
From: "Jim McAtee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 14, 2002 11:18 AM
Subject: [isp-security] Port Filtering for FTP Server


> I'm implmenting port filtering on a Win2k server using built-in IPSEC
policies.
> I'm having a bit of a time figuring out how to permit PASV FTP.  My FTP rules
> are pretty simple (so far).  Assuming the server is at IP 123.123.1:
>
>
> Source (IP:Port)     Destination (IP:Port)  Action
> ------------------   --------------------   -------------
> Any:Any              123.123.123.1:21       Pass
> 123.123.123.1:21     Any:Any                Pass
> 123.123.123.1:20     Any:Any                Pass
>
>
> The rules are set up with a default deny rule - anything not explicitly passed
> is blocked.  The server is not behind any other firewall or NAT'ing router,
and
> is using a public IP address.  If I'm not mistaken, the above will permit
active
> FTP connections to/from an FTP client (by permitting port 20 outbound).  The
> problem that I'm having, I believe, is with FTP clients that must establish
PASV
> connections due to their own firewalling.
>
> My understanding is that with PASV FTP, the server tells the client which data
> port to establish a connection on (rather than initiating the connection from
> port 20).  So the client then attempts an incoming connection for the data
> channel on this randomly chosen port.  Any clues how to deal with this?
>
> Jim


____________  The ISP-SECURITY Discussion List  ____________
To Join: mailto:[EMAIL PROTECTED]
To Remove: mailto:[EMAIL PROTECTED]
Archives: http://isp-lists.isp-planet.com/isp-security/archives/
To Remove: mailto:[EMAIL PROTECTED]

Reply via email to