|
Larry,
Refer to the ifo below, i got this info from ISS
mailing list some time back, it might be of some help to u.
FTP is a protocol that opens 2 TCP
connections... The first is the
"Control" port. This will start with the "Random" source address and have a destination address of 21 as you would expect. When you connect to the remote server a FTP-DATA connection will be returned. The destination port will be "deterministic based on the Source port of your original control connection" This means the connection is "SEMI RANDOM" making it hard to configure the firewall. The "FTP-DATA" connection can go in 2 directions depending on your client... (IE tends to use Passive mode. Command line use Active mode read on...) There is an "active" connection which is the original FTP standard. Active means the destination FTP server will connect BACK to the client. The "Passive" FTP connection means the client will make a second connection to the server. What does this mean for you? Depends on your firewall. Some firewalls know the behaviour of FTP and just make allowances for it. EG Checkpoint FW1. Others will need you to make the Data connection handled as a separate rule. Note If you read the MS Proxy release notes. (From technet or the knowledge base) Not the CD version. There is mention of setting your Proxy server to only use "Passive mode". It is a registry hack to do so. I would suggest if your firewall needs the Data set up specifically then you will need to set it to passive as allowing "outbound protcols" from that server is FAR less risky than allowing "inbound" for a large range of addresses.
|
Title: FTP through FW-1 with NAT
- [FW1] FTP through FW-1 with NAT Larry Wu
- Re: [FW1] FTP through FW-1 with NAT Steve Smith
- RE: [FW1] FTP through FW-1 with NAT sathish
- RE: [FW1] FTP through FW-1 with NAT Hal Dorsman
- RE: [FW1] FTP through FW-1 with NAT Dean Cunningham
- RE: [FW1] FTP through FW-1 with NAT Thomas . Poole
