On Tue, 22 Nov 1994, Thomas Bleek wrote:
> here is my summary about cisco-accesslists. The good news is, that
> I was told about a big hole in my filterrules. Very bad was the idea
> to let UDP-packets other than for the DNS-port 53
> from the Internet to the inside. Some sugessted to also deny incoming
> TCP and to use the established option but that is not working
> with ftp. it turns out, that the external server opens the dataconnection
> to the internal client (after the port-command from the client).
> so there is no way other than modifying clients or to use the
> PASV (which is not implemented on all servers).
What about open for >1000 established
and for the ftp-data port ?