RE: ftp through CISCO access-list

Thu, 27 Jul 2000 18:48:30 -0700 

> -----Original Message-----
> From: Chris Brenton [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 28 July 2000 10:14 AM
> To: Ben Nagy
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: ftp through CISCO access-list
> 
> 
> Ben Nagy wrote:
> > 
> > FTP Passive mode should work through those ACLs as well. 
> Passive just means
> > that the client starts the ftp-data connection instead of 
> the server.
> 
> Actually, this is exactly why it will not work. ;)
> 
> The listed ACL's are:
> 
> > int ser0
> >   ip access-group 110 in
> > ...
> > 
> > ...
> > access-list 110 permit tcp any eq ftp host X.X.X.X established
> > access-list 110 permit tcp any eq ftp-data host X.X.X.X
> > ...
> > access-list 110 deny ip any any
> 
> 
> You are 100% correct that passive is established from client 
> to server.
> The problem is its established from one upper port to 
> another. There is
> nothing here to allow inbound SYN=1 < 1023. To fix this, 
> ports 1023-4096
> need to be opened inbound to the FTP server as well. 

Uh, we're talking about different things, aren't we....

I thought that this was a problem with an FTP _client_ on the inside talking
to an FTP _server_ on the outside.

I'm therefore assuming (hoping) that there is a line like:
permit tcp any host X.X.X.X gt 1023 established

Otherwise a whole lot more than FTP would be busted (this is why I wanted to
see the rest of the ACL). If there is, it should all work, yah?

But yes, you're absolutely right - reading the original message again it
could be taken either way (inside FTP server / inside FTP client). 

So, Tom - if you're talking about problems with your FTP server, to do what
Chris says - add this:
deny tcp any host X.X.X.X gt 4096 [1]
permit tcp any host X.X.X.X gt 1023

If not, make sure you just have an 'established' line like the one above.

> 
> HTH,
> Chris
> -- 

Cheers,

[1] Personally, I'm a bit dubious about this. You may have problems if your
clients pick a really high port for the data channel. You can omit this line
if you trust _all_ the high ports on your FTP server.
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to