I have been looking at the RFC (1579) relating to ftp PASV and router
access-lists and had a few questions related to a problem I'm encountering.
I've got a FTP server running IIS 4.0 in my DMZ (which is created/protected
by a PIX). I recently changed my Cisco router access-list to deny all but
the protocols I need for business. I'm allowing TCP 20 and 21 in, but many
ftp operations are failing. I realize that this is because the clients are
trying to open restricted ports (in the 2000 range) on the server during
data channel requests. It seems like my trouble, after reading the RFC, is
that we aren't using passive mode. Is this right, and will I be able to
implement this on IIS? Would it be best to just open a larger range of ports
on the router and let the firewall do its work?
Our ftp server is used for both web-URL-based downloads and client batching
projects, so both browsers and various clients will be used to connect to
us.
TIA,
Dave Shackelford
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
