Priscilla Oppenheimer wrote: > If it's not passive mode, the data channel is initiated by the server from > port 20 (FTP data) to the ephemeral port provided by the client in its PORT > command. Ephemeral just means a short-lived port with a number greater than > 1023. > > If it is passive mode, then the data channel is initiated by the client > from an ephemeral port to an ephemeral port provided by the server in its > PASV command. > > In other words, access lists with FTP are tricky. > > Priscilla > > At 03:14 PM 10/30/01, Jonathan Hays wrote: > >Don't we also want a ACL line for the ftp data channel? > > > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > > > >And if the server is using passive ftp > > > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established
Oops, you're right! I'm getting a bit rusty... The "ftp-data" entry would allow data connections from an external ftp server to ftp sessions initiated by the LAN client which is not what the original poster wanted. However, the "gt 1023 established" entry should allow access for Internet clients to the LAN ftp server doing passive ftp. But it does open things up a bit too much for the comfort of most paranoid sysadmins. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24742&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
