Hi all,
To recap: the problem is: FTP works, but only with clients, not in a
DOS-box. (also not in a browser, but that's solved: Passive ftp won't work)
I will be a little more specific/clear to prevent misunderstandings: the
client is inside and I connect any ftp-server in the world. The access-list
blocks every inbound connection (except to our web and mail-server).
I'll include the whole ACL. I hope you understand what I try to reach.
So, the original question was: these ACL works fine, also FTP, except ftp
from a DOS-box (or is there a major difference between a windows ftpclient
and ftp in a windows dos-box (it also works from a unix)
The policy is: I deny every incoming connection that's not originated from
the inside, except to our
www and smtp.
...
int ser 0
ip access-group 110 IN
...
1)access-list 110 deny ip host 127.0.0.1 any log-input
2)access-list 110 deny ip 194.7.246.160 0.0.0.7 any log-input
3)access-list 110 deny ip 10.1.0.0 0.0.255.255 any log-input
4)access-list 110 permit icmp any host 194.7.246.161
administratively-prohibited
5)access-list 110 permit icmp any host 194.7.246.161 echo log-input
6)access-list 110 permit icmp any host 194.7.246.161 echo-reply log-input
7)access-list 110 permit icmp any host 194.7.246.161 packet-too-big
8)access-list 110 permit icmp any host 194.7.246.161 time-exceeded
9)access-list 110 permit icmp any host 194.7.246.161 traceroute
10)access-list 110 permit icmp any host 194.7.246.161 unreachable
11)access-list 110 permit tcp any eq 443 host 194.7.246.161 gt 1023
established
12)access-list 110 permit tcp any eq www host 194.7.246.161 gt 1023
established
13)access-list 110 permit tcp any eq ftp host 194.7.246.161 established
14)access-list 110 permit tcp any eq ftp-data host 194.7.246.161
15)access-list 110 permit udp any eq domain host 194.7.246.161 log
16)access-list 110 permit tcp any eq smtp host 194.7.246.161 gt 1023
established log
17)access-list 110 permit tcp any gt 1023 host 194.7.246.162 eq www log
18)access-list 110 permit tcp any gt 1023 host 194.7.246.163 eq smtp log
19)access-list 110 permit tcp host 209.185.243.7 eq 443 host 194.7.246.161
gt 1023 established
20)access-list 110 permit tcp host 209.185.243.135 eq 443 host 194.7.246.161
gt 1023 established
21)access-list 110 permit tcp host 216.33.151.7 eq 443 host 194.7.246.161 gt
1023 established
22)access-list 110 permit tcp host 216.32.243.7 eq 443 host 194.7.246.161 gt
1023 established
23)access-list 110 deny ip any any log-input
anybody a solution of the "ftp"-problem of DOS, or suggestions/comments to
this ACL. I'm always interested to hear(read) different opinions...
thanks & regards,
Tom
-----Oorspronkelijk bericht-----
Van: Ben Nagy [mailto:[EMAIL PROTECTED]]
Verzonden: vrijdag 28 juli 2000 3:28
Aan: 'Chris Brenton'
CC: '[EMAIL PROTECTED]'
Onderwerp: RE: ftp through CISCO access-list
> -----Original Message-----
> From: Chris Brenton [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 28 July 2000 10:14 AM
> To: Ben Nagy
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: ftp through CISCO access-list
>
>
> Ben Nagy wrote:
> >
> > FTP Passive mode should work through those ACLs as well.
> Passive just means
> > that the client starts the ftp-data connection instead of
> the server.
>
> Actually, this is exactly why it will not work. ;)
>
> The listed ACL's are:
>
> > int ser0
> > ip access-group 110 in
> > ...
> >
> > ...
> > access-list 110 permit tcp any eq ftp host X.X.X.X established
> > access-list 110 permit tcp any eq ftp-data host X.X.X.X
> > ...
> > access-list 110 deny ip any any
>
>
> You are 100% correct that passive is established from client
> to server.
> The problem is its established from one upper port to
> another. There is
> nothing here to allow inbound SYN=1 < 1023. To fix this,
> ports 1023-4096
> need to be opened inbound to the FTP server as well.
Uh, we're talking about different things, aren't we....
I thought that this was a problem with an FTP _client_ on the inside talking
to an FTP _server_ on the outside.
I'm therefore assuming (hoping) that there is a line like:
permit tcp any host X.X.X.X gt 1023 established
Otherwise a whole lot more than FTP would be busted (this is why I wanted to
see the rest of the ACL). If there is, it should all work, yah?
But yes, you're absolutely right - reading the original message again it
could be taken either way (inside FTP server / inside FTP client).
So, Tom - if you're talking about problems with your FTP server, to do what
Chris says - add this:
deny tcp any host X.X.X.X gt 4096 [1]
permit tcp any host X.X.X.X gt 1023
If not, make sure you just have an 'established' line like the one above.
>
> HTH,
> Chris
> --
Cheers,
[1] Personally, I'm a bit dubious about this. You may have problems if your
clients pick a really high port for the data channel. You can omit this line
if you trust _all_ the high ports on your FTP server.
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
