If it's not passive mode, the data channel is initiated by the server from port 20 (FTP data) to the ephemeral port provided by the client in its PORT command. Ephemeral just means a short-lived port with a number greater than 1023.
If it is passive mode, then the data channel is initiated by the client from an ephemeral port to an ephemeral port provided by the server in its PASV command. In other words, access lists with FTP are tricky. Priscilla At 03:14 PM 10/30/01, Jonathan Hays wrote: >Michael Williams wrote: > > > That would work, although you don't need the "deny ip any any" as there is > > always an implied "deny all" at the end of the access list. > > > > However, to protect yourself from unwanted traffic/attacks, you can changed > > your access list to only allow traffic incoming on port 21 (eq ftp): > > > > access-list 110 permit tcp any host 192.3.10.10 eq ftp > > > >Don't we also want a ACL line for the ftp data channel? > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > >And if the server is using passive ftp > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24695&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
