Firewalls: "established" data connections and ftp

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	"established" data connections and ftp
From:	z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Date:	Tue, 2 Aug 1994 16:00:55 +0800
To:	firewalls @ greatcircle . com

Sorry - deleted the post I am referring to before I had a chance to reply.
The poster mentioned a solution to the problem of ftp transfers in a
screening router environment.  The solution was something to the effect:
Allow packets from all external hosts with source port 20 to all (or
some subset of) internal hosts with destination port > 1023, established.

The only part I disagree with is the "established" part; I am assuming this
is referring to passing/not passing the "start of connection" packet, or the
packet that contains both SYN and ACK.  It is my understanding that by
using this keyword in your access lists, the remote machines would have a
difficult time initiating the data connection...

I am also assuming that the above would be applied as an outbound access list
on the internal side of the screening router, as the rest would not make
sense otherwise...

Do I have this incorrect?


        ______/   Jeff LaCoursiere                   FastLane Communications
       /          Network security/services          mail info @
 flc .
 uprc .
 com
      ___/        lacoursj @
 uprc .
 com
     /
  __/  ASTLANE  Communications!  Connecting America to the Internet...

Follow-Ups:

Re: "established" data connections and ftp
From: sag1141 @ str . daimler-benz . com (Klaus-Dieter Lehle)

Indexed By Date	Previous:	Re: Screening & routers From: Geoff Mulligan <mulligan @ future . Eng . Sun . COM>
Indexed By Date	Next:	Re: Screening & routers From: sgcccdc @ citec . qld . gov . au (Colin Campbell)
Indexed By Thread	Previous:	Re: Port 20 From: pjh70 @ eng . amdahl . com (Patrick J. Horgan )
Indexed By Thread	Next:	Re: "established" data connections and ftp From: sag1141 @ str . daimler-benz . com (Klaus-Dieter Lehle)