USRobotics NETServer/8 User Manual

Packet Filters 8-13

Step 2 - The client opens a control channel

To initiate an FTP session, the client opens a control channel on
the well-known FTP port 21. This means any client on the local
network must be able to send packets to TCP port 21 on any
external host.

set filter ftp.out 1 permit 192.77.203.0/24 0.0.0.0/0 tcp dst eq 21

Step 3 - The host must reply

Allow packets coming from port 21 on any external host. To
prevent intruders from using this opening, restrict the access to
connections “established” by outgoing clients.

set filter ftp.in 1 permit 0.0.0.0/0 192.77.203.0/24 tcp src eq 21

established

Step 4 - The host opens a data transfer channel

Once a file transfer has been set up on the control channel, the
host initiates a data transfer connection from port 20. However,
we don’t know what the destination port will be beforehand. To
permit this connection, we would have to permit any external
host initiating a connection from port 20 to connect to any port
on any host on the internal network. Unfortunately, this also
leaves the network open to any intruder initiating a connection
on port 20. Since most standard services that are vulnerable to
attack are below port 1023. We can block most of these attacks
by forcing the host to connect to a port above 1023.

set filter ftp.in 2 permit 0.0.0.0/0 192.77.203.0/24 tcp src eq 20 dst gt

1023

Note:

Since the ports above 1023 are still vulnerable, you

should add additional rules that deny packets to any services
you want to protect. These rules should be placed before the rule
given.

Step 5 - The client must reply

The client must use the data transfer channel to send acknowl-
edgment packets back to the FTP host.

set filter ftp.out 2 permit 192.77.203.0/24 0.0.0.0/0 tcp src gt 1023

dest eq 20 established