Hi,
On 16 Jul 99, at 11:30, Tarkan Hocaoglu wrote:
>
> I know that : - data channel is established by ftp client from port
> above 1023 to port above 1023 on ftp server. - the server answers to a
> port above 1023 with the ACK bit set to 1.
>
> Am I wrong ?
>
Yes. The data channel is also based on TCP in the Transport Layer. TCP is
connection-oriented: all packets have the ACK bit set _except_ for the
SYN-packet which initiates a connect (TCP active open).
There is no way to filter this with static or dynamic filters if you only
filter based on TCP header information.
The only way to go secure is by having layer 5 filtering: the ftp
protocol on this layer uses the PORT command to set the two communicating
ports for the data transport.
If you can�t do that, put your ftp server on a seperate machine and open
ports >1023 to >1023, >1023 to 21 and don�t forget active ftp: connection
from port 20 of your server to >1023 outside...
Kind Regards / Mit freundlichen Gruessen,
--
Frank M. Heinzius MMS Communication AG
mailto:[EMAIL PROTECTED] Eiffestrasse 598
http://www.mms.de 20537 Hamburg, Germany
Phone: +49 40 211105-40 Fax: +49 40 210 32 210
-- spam forbidden -- -- PGP key available --
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
