Re: ftp out
Just tried this with my home lab which has a couple of routers and subnets on it. I'm not sure if the ftp-data port is necessary. The list seemed to do its job though. Extended IP access list 169 permit tcp any any eq ftp established permit tcp any any eq ftp-data established deny tcp any any eq ftp deny tcp any any eq ftp-data permit ip any any ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ftp out
But how would that affect outbound return traffic? An extended access list will block a port; from this either in of outbound traffic can be denied. What we noticed in lab was that if we blocked inbound telnet sessions, we could not telnet to another student's router. The return packets were denied. Either that or the other end had somehow blocked us as well (which they shouldn't have for the purposes of the lab). What are thoughts on that? Paul -Original Message- From: Dale Holmes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 05, 2000 1:56 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: ftp out Access lists are applied in one direction or the other - in, or out. So you are probably looking at an access list that is applied to inbound traffic, blocking incoming ftp requests. A very rudimentary access list entry, that blocks ftp from any source to any destination might look like this: access-list 101 deny tcp any any eq ftp Keep in mind that this entry on its own blocks everything, not just incoming ftp, because all access lists end with an implicit deny any. You have to explicitly permit something... Here is an example that blocks ftp, but permits everything else: access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any You then need to apply the access-list to an interface, and specify whether it applies to inbound or outbound traffic. Use the "ip access-group" command. Router(config)#interface s0 Router(config-if)ip access-group 101 in You can get much more detail on this here (watch for URL word wrap): http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/n p1_r/1rip.htm#1250 I hope this helps... Dale [=`) >From: "SH Wesson" <[EMAIL PROTECTED]> >Reply-To: "SH Wesson" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: ftp out >Date: Tue, 05 Sep 2000 19:23:03 GMT > >How do I configre an access list such that it only allow users to ftp out, >but not any ftp in. Thanks. >_ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ftp out
Title: RE: ftp out ! Allow any internal connection back in access-list 101 permit tcp any any established ! Allow FTP for non-passive ftp modes access-list 101 permit tcp any eq ftp-data gt 1024 access-list 101 deny tcp any any -Original Message- From: SH Wesson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 05, 2000 3:23 PM To: [EMAIL PROTECTED] Subject: ftp out How do I configre an access list such that it only allow users to ftp out, but not any ftp in. Thanks. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ftp out
Access lists are applied in one direction or the other - in, or out. So you are probably looking at an access list that is applied to inbound traffic, blocking incoming ftp requests. A very rudimentary access list entry, that blocks ftp from any source to any destination might look like this: access-list 101 deny tcp any any eq ftp Keep in mind that this entry on its own blocks everything, not just incoming ftp, because all access lists end with an implicit deny any. You have to explicitly permit something... Here is an example that blocks ftp, but permits everything else: access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any You then need to apply the access-list to an interface, and specify whether it applies to inbound or outbound traffic. Use the "ip access-group" command. Router(config)#interface s0 Router(config-if)ip access-group 101 in You can get much more detail on this here (watch for URL word wrap): http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/np1_r/1rip.htm#1250 I hope this helps... Dale [=`) >From: "SH Wesson" <[EMAIL PROTECTED]> >Reply-To: "SH Wesson" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: ftp out >Date: Tue, 05 Sep 2000 19:23:03 GMT > >How do I configre an access list such that it only allow users to ftp out, >but not any ftp in. Thanks. >_ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > >Share information about yourself, create your own public profile at >http://profiles.msn.com. > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ftp out
Oops, I forgot the most important part in my previous reply... You need to look at the "established" keyword to allow replies back in to FTP session requests that originate within your organization... Dale [=`) >From: "SH Wesson" <[EMAIL PROTECTED]> >Reply-To: "SH Wesson" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: ftp out >Date: Tue, 05 Sep 2000 19:23:03 GMT > >How do I configre an access list such that it only allow users to ftp out, >but not any ftp in. Thanks. >_ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > >Share information about yourself, create your own public profile at >http://profiles.msn.com. > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ftp out
How do I configre an access list such that it only allow users to ftp out, but not any ftp in. Thanks. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
