Firewalls: Re: Packet filtering and FTP

Firewalls
(March 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Packet filtering and FTP
From:	"David I. Dalva" <dave @ TIS . COM>
Date:	Thu, 18 Mar 93 12:54:45 -0500
To:	smb @ research . att . com
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	Your message of Tue, 16 Mar 93 18:25:32 -0500. <9303162330 . AA11908 @ TIS . COM>

		 Summary: Cisco "established" keyword breaks FTP-DATA.

		 I am having FTP trouble when I configure my Cisco to only
		 permit established TCP connections above port 1024.  When a
		 new (random) port is created for FTP-DATA (e.g., as the result
		 of a "dir"), the Cisco prohibits the connection since it
		 doesn't meet the "established" criteria.

	I know of no way to do what you want in a safe fashion.  I wish I did.

Well, Marcus Ranum and I discussed it and decided to hack the ftp client to
use ports between IPPORT_USERRESERVED (5000) and 10000 for ftp-data.  Then I
can reintroduce "established" for ports < 5000.

This seems to work fine, but we'll see if there are any future problems with
the BSD ftp client on SunOS.

Dave Dalva <dave @
 tis .
 com>
Trusted Information Systems, Inc.
Glenwood, MD  21738
+1 301 854-6889
+1 301 854-5363 FAX

Indexed By Date	Previous:	Re: DNS/libresolv/4.1.3/dlopen ld complaints From: Tim Guarnieri <timg @ mv . us . adobe . com>
Indexed By Date	Next:	Re: DNS/libresolv/4.1.3/dlopen ld complaints From: jim @ tadpole . com (Jim Thompson)
Indexed By Thread	Previous:	Re: Packet filtering and FTP From: smb @ research . att . com
Indexed By Thread	Next:	Re: Packet filtering and FTP From: smb @ research . att . com