RE: filtering active mode vs. passive mode ftp

From: John Matus (john_matus@hotmail.com)
Date: Mon Jun 20 2005 - 19:19:53 GMT-3

true,,,,,if you are allowing ftp you would need to allow both port 20 and
21.

>From: "ccie2be" <ccie2be@nyc.rr.com>
>To: "'John Matus'" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>Subject: RE: filtering active mode vs. passive mode ftp
>Date: Mon, 20 Jun 2005 18:10:22 -0400
>
>John,
>
>Good point.
>
>I would say that if you're denying FTP, then denying just the control is
>sufficient in the sense that a file transfer won't take place without the
>control channel being opened. But, you would probably want to drop the
>traffic coming in the data channel at the router rather than have the FTP
>server drop it.
>
>But, what if you're allowing ftp. In that case, I think you need both the
>control and the data channels.
>
>HTH, Tim
>
>-----Original Message-----
>From: John Matus [mailto:john_matus@hotmail.com]
>Sent: Monday, June 20, 2005 6:01 PM
>To: ccie2be@nyc.rr.com; ccielab@groupstudy.com
>Subject: RE: filtering active mode vs. passive mode ftp
>
>what would be the advantage of issuing only ftp-data? it you you've
>blocked
>
>ftp @ port 21 then there server can never open up port 20 for the
>data.......
>
> >From: "ccie2be" <ccie2be@nyc.rr.com>
> >To: "'John Matus'" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
> >Subject: RE: filtering active mode vs. passive mode ftp
> >Date: Mon, 20 Jun 2005 17:31:55 -0400
> >
> >Hey John,
> >
> >Recently (within the past 2 or 3 weeks), I went over this issue with Bob
> >Sinclair.
> >
> >For both active and passive, you can use nbar ie match prot ftp.
> >
> >If you want to use an acl for active, you can use "eq ftp" and "eq
> >ftp-data".
> >
> >For passive FTP, you're out of luck suing an acl for the data connection.
> >
> >HTH, Tim
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >John
> >Matus
> >Sent: Monday, June 20, 2005 5:16 PM
> >To: ccielab@groupstudy.com
> >Subject: filtering active mode vs. passive mode ftp
> >
> >i'm a bit confused how you would filter active ftp vs. passive ftp. both
> >sessions initate on the servers port 21 so i can see how you could filter
> >with w/:
> >
> >access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp
> >
> >but when you get to the data part of the session it seems that you would
> >only be able to block active mode ftp with:
> >
> >access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp-data where the
>port
> >is 20. is this correct? is there another way to block passive mode
>ftp?
> >
> >i suppose you could just block port 21 in either scenarion and that would
> >stop the command portion of the session so the data would be a mute
>point.
> >
> >_________________________________________________________________
> >Dont just search. Find. Check out the new MSN Search!
> >http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
>
>_________________________________________________________________
>Don't just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3