1. Manuals
  2. Brands
  3. Lucent Technologies Manuals
  4. Server
  5. PortMaster 4
  6. Configuration manual

Input And Output Filters For Ftp Packets - Lucent Technologies PortMaster 4 Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Input and Output Filters for FTP Packets

Filters can be used to either permit or deny File Transfer Protocol (FTP) packets. You
must understand how this protocol works before you develop FTP filters.
FTP uses TCP port 21 as a control channel, but it transfers data on another channel
initiated by the FTP server from TCP port 20 (FTP-data). Therefore, if you want to allow
your internal hosts to send out packets with FTP, you must allow external hosts to open
an incoming connection from TCP port 20 to a destination port above 1023. Allowing
this type of access to your network can be very risky if you are running Remote
Procedure Call (RPC) or X Windows on the host from which you are transmitting FTP
packets. As a result, many sites use FTP proxies or passive FTP, neither of which is
discussed in this guide.
Consult Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick and Bellovin
and Building Internet Firewalls by Chapman and Zwicky for information on FTP proxies
and passive FTP.
Likewise, if you want to allow external hosts to connect to your FTP server and transfer
files, you must allow incoming connections to TCP port 21 on your FTP server and allow
outgoing connections from TCP port 20 of your FTP server.
In the following examples, 172.16.0.2 is the address of your FTP server and 192.168.0.1
is the address of the host from which you allow outgoing FTP.
Caution – This configuration is not recommended if you run any of the following
!
protocols on any of the hosts from which you allow FTP access: NFS, X, RPC, or any
other service that listens on ports above 1023.
The rules for the input filter are as follows:
Command> set filter internet.in 1 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq
20 dst gt 1023
Command> set filter internet.in 2 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq
21 estab
Command> set filter internet.in 3 permit 0.0.0.0/0 172.16.0.2/32 tcp dst eq 21
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.2/32 tcp src gt
1023 dst eq 20 estab
The rules for the output filter are as follows:
Command> set filter internet.out 1 permit 192.168.0.1/32 0.0.0.0/0 tcp dst eq
21
Command> set filter internet.out 2 permit 192.168.0.1/32 0.0.0.0/0 tcp src gt
1023 dst eq 20 estab
Command> set filter internet.out 3 permit 172.16.0.2/32 0.0.0.0/0 tcp src eq
20 dst gt 1023
Command> set filter internet.out 4 permit 172.16.0.2/32 0.0.0.0/0 tcp src eq
21 dst gt 1023 estab
If you allow any internal host to send out packets with FTP, replace 192.168.0.1/32 with
0.0.0.0/0 or your network_number/24. Take appropriate precautions to reduce the risk this
configuration creates.
Configuring Filters
Example Filters
8-9

Advertisement

Table of Contents
loading

Related Manuals for Lucent Technologies PortMaster 4

Related Content for Lucent Technologies PortMaster 4

Table of Contents