ACL - FTP problem

Hi,

I was trying to make an ACL where I only want to permit FTP trafic and deny all other traffic.

Problem is - using active of passive FTP - the FTP server only uses port 21 for connection but when I try the list commando, I see he's using other ports (>1024) and not port 20 for FTP data.

ACL I made:

access-list 100 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq 20
access-list 100 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq 21

Hope someone can help me with this one ...

Greetz

Miek

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Miek

I found the solution ...

When you're going to make a FTP connection, the connection (sending user names and passwords) itself uses port 21. But when you want to transmit/receive data, ports 1024 and above are used.

Normally when using active FTP, only ports 21 and 20 should be used, but that isn't.

When using passive FTP, the FTP server always use ports >1024.

I checked that with a packet analyzer ...

So, back to the ACL's ...

When you want to make an ACL that only permits FTP traffic (I think this also counts for mail traffic, ...) you have to add a 'rule' to your ACL:

access-list 100 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq 21
access-list 100 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.2 eq 21 gt 1024

Port 20 isn't often used, so you don't have to include that one in the ACL.

With the second rule you're opening all ports above 1024 but they are unregisteren port numbers so other applications (using ports smaller than 1024) aren't permitted.

Hope someone else can use this tip to!

Greets

Miek