This is an extract from a program on ftp.cisco.com to generate access
lists, summarizing the problem with outgoing ftp:
#
# Permit TCP connections with port numbers greater than 1024
# into a very limited set of hosts. Make sure NO terminal servers
# are in this list because this allows dangerous access to terminal
# servers and protocol translators.
#
# This is so that people can FTP out of cisco without using pftp
# (available from ftp.cisco.com). We now use passive-ftp everywhere
# and no longer need to permit this. This is the *ONLY* reason to allow
# inbound TCP >1023 so don't let anyone give you shit for closing this
# hole.
#
# This is a serious major gaping security hole and should be denied
# except known secure machines. The 'established' keyword earlier on
# handles everything outbound but outbound FTP, so that is the ONLY
# reason we should allow this.
#
Passive ftp is available for UNIX computers in source form, but what
about its availability on other platforms (Macs and PCs running ftp
software tcp/ip)? Also, how widely do the "main" public ftp servers
support it?
Thanks.
Mohamed
From: Robert Kiessling <Robert .
Kiessling @
rrze .
uni-erlangen .
de>
Subject: Re: Dead 4000
In-Reply-To: <199503282215 .
OAA27325 @
lager .
cisco .
com> from "Tony Li" at "Mar 28, 95 2:15 pm"
Tony,
> > I have a Cisco 4000 that dies after displaying the first three lines of the
> > normal boot display cycle. These lines are as follows:
>
> > System Bootstrap, Version 4.6(4), SOFTWARE
> > copyright 1986-1993 Cisco Systems
> > 4000 processor with 16384 kbytes of memory
>
> > Any ideas of where I should look for the problem first?
>
> >Without more information, it's impossible to say. Please contact your
> >normal support channels.
>
> Perhaps you have an interface with no IP address assigned?
>
> That should _not_ cause a problem.
But nevertheless it does. Have an NVRAM config which mentions
no BRI interfaces and and TFTP config with BRI interfaces in
a dialer group and no individual IP addresses (only inter dialer
have IP addresses). Then, after loading the TFTP file, the
router has a total standstill. Only switching on and off helps.
(IOS 10.2(4)).
No, I have not yet opened a case with TAC as I know how the
get around (assign IP unnumbered ip the BRI interfaces) and
I want the router to work and not to fail because of me
reproducing the error and perhaps minimalizing the failing
configuration.
Best regards,
Robert
--
Robert Kiessling Robert .
Kiessling @
rrze .
uni-erlangen .
de
Betreuung Terminal-Server dialinadm @
rrze .
uni-erlangen .
de
Regionales Rechenzentrum Universitaet Erlangen-Nuernberg
|
|
