# Summary: Cisco "established" keyword breaks FTP-DATA.
# I am having FTP trouble when I configure my Cisco to only permit established
# TCP connections above port 1024. When a new (random) port is created for
# FTP-DATA (e.g., as the result of a "dir"), the Cisco prohibits the connection
# since it doesn't meet the "established" criteria.
# Does anybody know what the port range is for randomly allocated ports, or
# another way to get around this problem?
This is one of the reasons the Cisco "established" keyword, all by
itself and without the ability to look at source IP port numbers,
isn't all that useful in the real world.
The "problem" is that the "data" channel of an FTP connection is
established from the server back to the client. The FTP client opens
a command channel to the server. When it's ready to receive data, it
grabs a random port, >1024 on a UNIX system with BSD-derived
networking, and tells the server (through the command channel) the
port number it's listening for data on. The server opens a connection
from the FTP-DATA port on the server (port 20) to this random port on
the client machine. It's this "backwards" open (the server opening a
connection to the client) that makes FTP tricky to deal with in a firewall.
You might be able to modify your FTP client to always pick its
"random" data port from a small range, or something obnoxious like that.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041