Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Packet filtering and FTP
From: "David I. Dalva" <dave @ TIS . COM>
Date: Thu, 18 Mar 93 12:54:45 -0500
To: smb @ research . att . com
Cc: firewalls @ GreatCircle . COM
In-reply-to: Your message of Tue, 16 Mar 93 18:25:32 -0500. <9303162330 . AA11908 @ TIS . COM>

		 Summary: Cisco "established" keyword breaks FTP-DATA.

		 I am having FTP trouble when I configure my Cisco to only
		 permit established TCP connections above port 1024.  When a
		 new (random) port is created for FTP-DATA (e.g., as the result
		 of a "dir"), the Cisco prohibits the connection since it
		 doesn't meet the "established" criteria.

	I know of no way to do what you want in a safe fashion.  I wish I did.

Well, Marcus Ranum and I discussed it and decided to hack the ftp client to
use ports between IPPORT_USERRESERVED (5000) and 10000 for ftp-data.  Then I
can reintroduce "established" for ports < 5000.

This seems to work fine, but we'll see if there are any future problems with
the BSD ftp client on SunOS.

Dave Dalva <dave @
 tis .
 com>
Trusted Information Systems, Inc.
Glenwood, MD  21738
+1 301 854-6889
+1 301 854-5363 FAX


Indexed By Date Previous: Re: DNS/libresolv/4.1.3/dlopen ld complaints
From: Tim Guarnieri <timg @ mv . us . adobe . com>
Next: Re: DNS/libresolv/4.1.3/dlopen ld complaints
From: jim @ tadpole . com (Jim Thompson)
Indexed By Thread Previous: Re: Packet filtering and FTP
From: smb @ research . att . com
Next: Re: Packet filtering and FTP
From: smb @ research . att . com

Google
 
Search Internet Search www.greatcircle.com