Thank you very much, Priscilla. Jill
""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > From a book that I am working on. The figures would help, but you'll have > to buy the book for that! ;-) > > FTP Active Mode > 1 The client sends a TCP SYN to the well-known FTP control port (port 21) > on the server. The client uses an ephemeral port as its source port. > (Ephemeral means short-lived, not well-known, and greater than 1023.) > 2 The server sends the client a SYN ACK from port 21 to the ephemeral port > on the client. > 3 The client sends an ACK. The client uses this connection to send FTP > commands, and the server uses this connection to send FTP replies. > 4 When the user requests a directory listing or initiates the sending or > receiving of a file, the client software sends a PORT command that includes > an ephemeral port number that the client wishes the server to use when > opening the data connection. > 5 The server sends a SYN from port 20 (FTP data) to the client's ephemeral > port number, which was provided to the server in the client's PORT command. > 6 The client sends a SYN ACK from its ephemeral port to port 20. > 7 The server sends an ACK. > 8 The host that is sending data uses this new connection to send the data > in TCP segments, which the other host ACKs. (With some commands, such as > STOR, the client sends data. With other commands, such as RETR, the server > sends data.) > 9 After the data transfer is complete, the host sending data closes the > data connection with a FIN, which the other host ACKs. The other host also > sends its own FIN, which the sending host ACKs. > 10 The client can send more commands on the control connection, which may > cause additional data connections to be opened and then closed. At some > point, when the user is finished, the client closes the control connection > with a FIN. The server ACKs the client's FIN. The server also sends its own > FIN, which the client ACKs. > > > FTP Passive Mode > The steps for passive FTP are described in the following list. Steps 1-3 > are the same as the first three steps for active mode. Also, steps 9-11 are > the same as the last three steps for active mode. > 1 The client sends a TCP SYN to the well-known FTP control port (port 21) > on the server. The client uses an ephemeral port as the source port. > 2 The server sends the client a SYN ACK from port 21 to the ephemeral port > on the client. > 3 The client sends an ACK. The client uses this connection to send FTP > commands, and the server uses the connection to send FTP replies. > 4 When the user requests a directory listing or initiates the sending or > receiving of a file, the client software sends a PASV command to the server > indicating the desire to enter passive mode. > 5 The server replies. The reply includes an ephemeral port number that the > client should use when opening the connection for data transfer. > 6 The client sends a SYN from a client-selected ephemeral port to the > server's ephemeral port number, which was provided to the client in the > reply to the client's PASV command. > 7 The server sends a SYN ACK from its ephemeral port to the client's > ephemeral port. > 8 The client sends an ACK. > 9 The host that is sending data uses this new connection to send the data > in TCP segments, which the other host ACKs. (With some commands, such as > STOR, the client sends data. With other commands, such as RETR, the server > sends data.) > 10 After the data transfer is complete, the host sending data closes the > data connection with a FIN, which the other host ACKs. The other host also > sends its own FIN, which the sending host ACKs. > 11 The client can send more commands on the control session, which may > cause additional data connections to be opened and then closed. At some > point, when the user is finished, the client closes the control connection > with a FIN. The server ACKs the client's FIN. The server also sends its own > FIN, which the client ACKs. > > Priscilla > > > At 12:34 AM 10/31/01, Jill Johnson wrote: > >Thank you very much for all your help. > > > >I still don't quite understand about the Passive Mode. > > > >The idea of setting up this access-list is for the users to dial in from > >home and to be > >able to do FTP to the servers at work. > > > >Thanks. > > > >Jill > > > >Jonathan Hays wrote: > > > > > Priscilla Oppenheimer wrote: > > > > > > > If it's not passive mode, the data channel is initiated by the server > >from > > > > port 20 (FTP data) to the ephemeral port provided by the client in its > >PORT > > > > command. Ephemeral just means a short-lived port with a number greater > >than > > > > 1023. > > > > > > > > If it is passive mode, then the data channel is initiated by the client > > > > from an ephemeral port to an ephemeral port provided by the server in > its > > > > PASV command. > > > > > > > > In other words, access lists with FTP are tricky. > > > > > > > > Priscilla > > > > > > > > At 03:14 PM 10/30/01, Jonathan Hays wrote: > > > > >Don't we also want a ACL line for the ftp data channel? > > > > > > > > > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > > > > > > > > > >And if the server is using passive ftp > > > > > > > > > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established > > > > > > Oops, you're right! I'm getting a bit rusty... > > > > > > The "ftp-data" entry would allow data connections from an external ftp > > > server to ftp > > > sessions initiated by the LAN client which is not what the original > poster > > > wanted. > > > > > > However, the "gt 1023 established" entry should allow access for Internet > > > clients to the > > > LAN ftp server doing passive ftp. But it does open things up a bit too > much > > > for the > > > comfort of most paranoid sysadmins. > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24951&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
