RE: filtering active mode vs. passive mode ftp

From: James Yeo (James.Yeo@arivia.co.za)
Date: Tue Jun 21 2005 - 08:09:21 GMT-3

• Next message: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Previous message: Shane Marquis: "RE: gre tunnel with nat"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Please check your version:

My policy has the following options:

Not_Nortel(config-pmap-c)#?
QoS policy-map class configuration commands:
  bandwidth Bandwidth
  compression Activate Compression
  drop Drop all packets
  exit Exit from QoS class action configuration mode
  netflow-sampler NetFlow action
  no Negate or set default values of a command
  police Police
  priority Strict Scheduling Priority for this Class
  queue-limit Queue Max Threshold for Tail Drop
  random-detect Enable Random Early Detection as drop policy
  service-policy Configure Flow Next
  set Set QoS values
  shape Traffic Shaping

Thanks

James

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Keane, James
Sent: Tuesday, June 21, 2005 12:54 PM
To: ccie2be; John Matus; ccielab@groupstudy.com
Subject: RE: filtering active mode vs. passive mode ftp

Ok I understand how you are matching ftp using nbar .. but how are you
filtering it ?

with a service policy ?

I cant see anything in the policy map helping much

  bandwidth Bandwidth
  exit Exit from QoS class action configuration mode
  priority Strict Scheduling Priority for this Class
  queue-limit Queue Max Threshold for Tail Drop
  random-detect Enable Random Early Detection as drop policy
  service-policy Configure QoS Service Policy
  shape Traffic Shaping
  police Police
  set Set QoS values

Care to shed some light, I suppose I am barking up the wrong tree as per
usual !

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: 20 June 2005 22:32
To: 'John Matus'; ccielab@groupstudy.com
Subject: RE: filtering active mode vs. passive mode ftp

Hey John,

Recently (within the past 2 or 3 weeks), I went over this issue with Bob
Sinclair.

For both active and passive, you can use nbar ie match prot ftp.

If you want to use an acl for active, you can use "eq ftp" and "eq
ftp-data".

For passive FTP, you're out of luck suing an acl for the data
connection.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
John
Matus
Sent: Monday, June 20, 2005 5:16 PM
To: ccielab@groupstudy.com
Subject: filtering active mode vs. passive mode ftp

i'm a bit confused how you would filter active ftp vs. passive ftp.
both
sessions initate on the servers port 21 so i can see how you could
filter
with w/:

access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp

but when you get to the data part of the session it seems that you would

only be able to block active mode ftp with:

access-l 100 deny tcp host 1.1.1.1 host 1.1.1.2 eq ftp-data where the
port
is 20. is this correct? is there another way to block passive mode
ftp?

i suppose you could just block port 21 in either scenarion and that
would
stop the command portion of the session so the data would be a mute
point.

• Next message: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Previous message: Shane Marquis: "RE: gre tunnel with nat"
• Maybe in reply to: John Matus: "filtering active mode vs. passive mode ftp"
• Next in thread: ccie2be: "RE: filtering active mode vs. passive mode ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3