Input and output filters for ftp packets, Input and output filters for ftp packets -11 – Lucent Technologies PortMaster User Manual

Configuring Filters

9-11

Example Filters

Input and Output Filters for FTP Packets

Filters can be used to either permit or deny File Transfer Protocol (FTP) packets. You
must understand how this protocol works before you develop FTP filters.

FTP uses TCP port 21 as a control channel, but it transfers data on another channel
initiated by the FTP server from TCP port 20 (FTP-data). Therefore, if you want to allow
your internal hosts to send out packets with FTP, you must allow external hosts to open
an incoming connection from TCP port 20 to a destination port above 1023. Allowing
this type of access to your network can be very risky if you are running Remote
Procedure Call (RPC) or X Windows on the host from which you are transmitting FTP
packets. As a result, many sites use FTP proxies or passive FTP, neither of which is
discussed in this guide.

Consult Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick and Bellovin
and Building Internet Firewalls by Chapman and Zwicky for information on FTP proxies
and passive FTP.

Likewise, if you want to allow external hosts to connect to your FTP server and transfer
files, you must allow incoming connections to TCP port 21 on your FTP server and allow
outgoing connections from TCP port 20 of your FTP server.

In the following examples, 172.16.0.2 is the address of your FTP server and 192.168.0.1
is the address of the host from which you allow outgoing FTP.

Caution – This configuration is not recommended if you run any of the following
protocols on any of the hosts from which you allow FTP access: NFS, X, RPC, or any
other service that listens on ports above 1023.

9.

Permits ICMP packets.

Table 9-3

Description of Internet Filter (Continued)

Rule

Description

!