> Tarkan Hocaoglu wrote:
>
> I know that :
> - data channel is established by ftp client from port above 1023 to
> port above 1023 on ftp server.
> - the server answers to a port above 1023 with the ACK bit set to 1.
>
> Am I wrong ?
The ports are right but the server response is a SYN-ACK followed by a
client ACK. Since the data channel is a separate session, you need to
complete a full TCP three packet handshake before the data flows.
> The problem happens when I activate filtering with the ACK bit on the
> data channel : there's no connection.
> But without the ACK bit set, the connection is established.
The server may also send ACK-PUSH and ACK-FIN in the course of the data
transfer so you really need to let the ACK bit though. How about just
filtering out SYN?
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
