Anders Vedelsbøl wrote:
> Vores Cisco 827 er udstyrret med nedenstående access-list 101 og jeg kan
> ikke få FTP til at virke. Kan I hjælpe?
> mvh
> Anders
>
...
> access-list 101 permit tcp any eq ftp any
> access-list 101 permit tcp any eq ftp-data any
...
> access-list 101 deny ip any any
Hej Anders
Det er en kombination af grunde til at ftp ikke kommer igennem.
1) FTP sucks - men den er populær.
2) FTP uden statefull inspection betyder at du skal åbne for alt over
tcp/ip-port 1023 - altså fra 1024-65535 både som src og dst.
3) NAT og aktiv ftp giver som regel sikkerhedsproblemer - hvis
netudstyret i det hele taget kan håndtere aktiv ftp. Derfor anbefales
passiv ftp alene.
FTP Attacks. By Kurt Seifried (seifried@securityportal.com) for
SecurityPortal:
http://www.developer.com/tech/article.php/774121
Citat: "...PASV Versus ACTIVE...To be plain, FTP sucks..."
FTP Reviewed. Chris Grant 1998-07-03:
http://pintday.org/whitepapers/ftp-review.shtml
Citat: "...Another potential problem is the very act of getting FTP
through a firewall. Regulating data transmissions with FTP can be very
tricky, particularly if the data is being actively transmitted..."
What is the difference between Active and Passive FTP?
http://www.scala.com/network-manager-3-faq/network-manager-3-faq-index.html
Firewall Configuration Prerequisites.
By Jay Beale, Lead Developer, Bastille Linux Project
(jay@bastille-linux.org), Principal Consultant JJB Security Consulting
and Training (C) 2000, Jay Beale /FONT>:
http://www.bastille-linux.org/jay/firewall-prereqs.html
Citat: "...
Well, there's a partial solution to this, in that you can force
everyone's clients to use "passive" mode FTP, which works like this:
...
So, this is more normal. The client is opening that second connection,
albeit to an arbitrary high (1024-65535) port on the server. *This is
better, though it now opens the server up to greater risk. See, now the
firewall on the server end has to allow all connections to high ports on
the FTP server machines*. Now, a knowledgeable admin can reduce this
port range, from 1024-65535, to something more manageable like
40,000-45,000, but this still leaves a wide port range that has to be
allowed in the server-side firewall. So, is there any hope?
Well, barring killing off FTP, there is. Stateful firewalls can watch
the data stream and understand the port negotiation. Unlike non-stateful
firewalls, which have to allow every potential port, stateful firewalls
can allow through packets destined for the specific additional data
port, at the specific "right time" in the connection.
..."
-
http://www.outpostfirewall.com/guide/rules/preset_rules/ftp.htm
Citat: "...
Protocol: TCP
Direction: Inbound
Local Port(s): 1024-65535
Action: Allow It
Protocol: TCP
Direction:Outbound
Remote Port(s): 1024-65535
Action: Allow It
...
But wait a minute! Doesn't this cause all kinds of problems
[Sikkerhedsproblemer!] for the server side firewall? [Dén foran
FTP-serveren]
Yes it does, but servers have away round this. Most FTP servers allow a
server administrator to specify a range of local ports [Det er en ussel
men halvgod løsning] the FTP server is allowed to open and use.
..."
mvh/Glenn