> Be careful using Cisco routers for filtering packets. Specifically,
> there are two things to be aware of:
> (2) The filtering syntax does not allow you to filter on
> source port, only destination port. This makes rules
> for some types of connections (i.e. ftp) a bit more
> "open" than you might like them to be.
We solved this by modifying ftp slightly to only use ports 65000 upwards
for the data connection (as specified in the PORT command). The Cisco
filters can be set to allow connections only to ports >= 65000
If your source is anything like mine, then all that's needed is, in
function initconn in ftp.c, to make the following change:
< if (sendport)
< data_addr.sin_port = htons (0); /* let system pick one */
----
> if (sendport)
> data_addr.sin_port = htons (65535 - getpid () % 256
> - time (NULL) % 256);
--
Clive D.W. Feather | IXI Ltd (an SCO company) | If you lie to the compiler,
clive @
x .
co .
uk | Vision Park | it will get its revenge.
Phone: +44 223 236 555 | Cambridge CB4 4ZR | - Henry Spencer
Fax: +44 223 236 466 | United Kingdom |
References:
|
|
