It's Apple Filing Protocol (used to be called AppleTalk Filing Protocol). It's built into Macintoshes. Third-party vendors such as Thursby Systems have it for PCs. It's a typical client/server file sharing solution.
It's not really a great solution unless you have a lot of Macs. Well, technically, it is a good solution, but for the PCs you would have to buy the software (~$180) and PC bigots might object (just out of ignorance though! ;-] But there are other alternatives to FTP. You could use the built-in PC file sharing SMB over TCP/IP. You could use WebDav. But, to be honest, FTP is pretty ingrained, despite its shortcomings. Replacing it could be a hard sell. Priscilla At 12:27 AM 11/2/01, J. Johnson wrote: >Priscilla, > >So you used AFP instead of FTP. Do you mind sending the info on AFP such >as vendor name, web site, phone number, etc.? > >Thanks. > >Jill > >""Priscilla Oppenheimer"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Thanks for carrying it through. It's very helpful. > > > > And to reiterate what you said in your first message, this one (for >passive > > mode when the 192.3.10.10 server is on the local network) is risky because > > it has to be non-specific: > > > > access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > > > > So maybe it's best to tell the users not to use passive mode. But then >they > > better not have personal firewalls that don't allow the session setup from > > the server! I have actually run into situations where there were so many > > firewalls (network-wide and personal) that we couldn't use FTP. We used >AFP > > over TCP instead. (which by the way is much more secure for another >reason, > > which is that it encrypts a random number provided by the server with the > > password. FTP sends the password in clear text.) > > > > Anyway, thanks again. > > > > Priscilla > > > > At 12:49 AM 11/1/01, Jonathan Hays wrote: > > >Priscilla Oppenheimer wrote: > > > > > > > From a book that I am working on. The figures would help, but you'll >have > > > > to buy the book for that! ;-) > > > > > > > > > > > >Thanks. Good info! And a good reminder for people like me who have been > > >working on > > >non-Cisco projects and are getting rusty on our access list skills. 8-) > > > > > >For closure (often synonymous with "getting the last word" ) I will >work > > >through > > >the typical FTP access list entries in light of Priscilla's excellent > > >description. > > >Experienced folks will probably be bored reading this and I tend to be > > >repetitive for > > >the sake of beginners (but I welcome comments of any type from anyone). > > > > > >Recall that our scenario involves giving Internet users access to the FTP > > >server sitting > > >on our LAN. Let's assume the access list will be applied with >"access-group > > >in" to the > > >router's WAN connection, say serial 0. > > > > > >Let's start with the Active mode case. > > > > > >Referring to Priscilla's description, in step 1 the FTP conversation is > > >initiated from > > >the Internet client using an ephemeral source port (greater than 1023) to > > >the FTP server > > >(192.3.10.10) listening on port 21 (destination port). Since we need to > > >allow that first > > >TCP SYN to come through we cannot use the "established" keyword. The >"any" > > >in our access > > >list is for the Internet client and "192.3.10.10" is the FTP server. The > > >first access > > >list entry is > > > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 21 > > > > > >Now for the ftp data connection. In step 4 the client sends the PORT >command > > >to the FTP > > >server along with the ephemeral port number to be used for the FTP data > > >(port 20) > > >connection. In step 5 the FTP server on the LAN initiates the TCP >connection > > >(SYN) to > > >the Internet-based client. This initial packet will not need an access >list > > >entry since > > >there is no access list on packets going _out_ serial 0, only for those > > >coming in. > > >However, we must let the client SYN ACK response through (and other port >20 > > >packets from > > >the Internet). At this point, the client's packets will obviously have >the > > >ACK (or RST) > > >bit set and will use source port gt 1023, destination port 20. The >necessary > > >access list > > >entry is > > > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 20 established > > > > > >In the case of Passive mode, the client initiates the data connection so >we > > >can't use > > >the "established" keyword, as I mistakenly did in a previous post. In > > >passive mode step > > >4 the Internet client issues the PASV command and the server supplies an > > >ephemeral port > > >to initiate the connection. To let this packet into serial 0 on our >router > > >the access > > >list entry is > > > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > > > > > >----- > > >Let's look at the reverse scenario, which is also very common. Suppose we > > >were trying to > > >allow FTP access from clients on an internal network (say 192.3.10.0/24) >to > > >FTP servers > > >outside on the Internet. Let's keep our focus on the packets coming in >and > > >use the same > > >"access-group in" on serial 0 as before. In this case "any" refers to the > > >responding > > >Internet FTP servers and "192.3.10.0 0.0.0.255" refers to the initiating > > >FTP clients on > > >our LAN. The access lists would look like this > > > > > >access-list 110 permit tcp any eq 21 192.3.10.0 0.0.0.255 gt 1023 > > >established > > >access-list 110 permit tcp any eq 20 192.3.10.0 0.0.0.255 gt 1023 > > >access-list 110 permit tcp any gt 1023 192.3.10.0 0.0.0.255 gt 1023 > > >established > > > > > >Compared to the previous scenario, notice that the source and destination > > >haven't > > >changed (athough I changed "host 192.3.10.10" to "192.3.10.0 0.0.0.255") > > >but the ports > > >are swapped between source and destination in each access list. Also, the > > >lack of or > > >existence of the "established" keyword is reversed. > > > > > >In the first list entry the client on the LAN has initiated the >connection > > >and we need > > >to allow FTP control (port 21) packets from Internet FTP servers through >if > > >they have > > >the ACK or RST bit set. The second entry allows the FTP server to >initiate a > > >data > > >connection (source port 20) to the client's ephemeral port on the LAN, so >we > > >drop the > > >"established" keyword. For the third entry, since the client is >initiating > > >passive mode > > >FTP we let "established" FTP data connection packets from the server > > through. > > > > > >Hope no one fell asleep. ;-) > > > > > >Jonathan > > ________________________ > > > > Priscilla Oppenheimer > > http://www.priscilla.com ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25032&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
