On Jul 14, 4:06pm, Frank Heinzius wrote:
>
> I found out that most denied packets are ftp data connections (tcp
> src gt 1023 dst gt 1023) used by the Netscape WWW browser. This seems to
> be a dangerous fact: browsers like Mosaic use the assigned ftp-data
> channel, but Netscape uses non-privileged ports nearly at random. Of
> course, some of the services found in strobe.services or RFC1700 are
> perfectly overridden ;-)
>
> Any ideas, how to handle ftp from WWW-browsers (except from removing
> the ftp-gateway pages)?
>
Actually, it is a GOOD thing!
Netscape uses PASV ftp by default (passive ftp). You should refer to
Cheswick and Bellovin for a discussion on passive ftp but basically it is a
good idea. A 10.3(3) Cisco access list for ftp might look like this:
access-list 102 permit tcp any eq ftp 161.34.0.0 0.0.255.255 gt 1023
established
access-list 102 permit tcp any gt 1023 161.34.0.0 0.0.255.255 gt 1023
established
access-list 121 permit tcp 161.34.0.0 0.0.255.255 gt 1023 any eq ftp
access-list 121 permit tcp 161.34.0.0 0.0.255.255 gt 1023 any gt 1023
You would use access list 102 for incoming packets and 121 for outgoing
packets. This will get passive-ftp up and working. WS-FTP, Netscape, and
anarchie work with passive ftp. It is also possible to modify ftp client
code for passive ftp.
---Jack
--
Jack Stewart #include <std.disclaimer>
Communications Administrator email: jack .
stewart @
macsch .
com
MacNeal-Schwendler Corporation fax: 213-259-3838
References:
|
|
