Summary: Cisco "established" keyword breaks FTP-DATA.
I am having FTP trouble when I configure my Cisco to only
permit established TCP connections above port 1024. When a
new (random) port is created for FTP-DATA (e.g., as the result
of a "dir"), the Cisco prohibits the connection since it
doesn't meet the "established" criteria.
I know of no way to do what you want in a safe fashion. I wish I did.
Well, Marcus Ranum and I discussed it and decided to hack the ftp client to
use ports between IPPORT_USERRESERVED (5000) and 10000 for ftp-data. Then I
can reintroduce "established" for ports < 5000.
This seems to work fine, but we'll see if there are any future problems with
the BSD ftp client on SunOS.
Dave Dalva <dave @
Trusted Information Systems, Inc.
Glenwood, MD 21738
+1 301 854-6889
+1 301 854-5363 FAX