ACL - FTP problem

MiekMiek Member Posts: 47 ■■□□□□□□□□

I was trying to make an ACL where I only want to permit FTP trafic and deny all other traffic.

Problem is - using active of passive FTP - the FTP server only uses port 21 for connection but when I try the list commando, I see he's using other ports (>1024) and not port 20 for FTP data.

ACL I made:

access-list 100 permit tcp host eq 20
access-list 100 permit tcp host eq 21

Hope someone can help me with this one ... icon_sad.gif

Greetz ;)



  • MiekMiek Member Posts: 47 ■■□□□□□□□□
    I found the solution ...

    When you're going to make a FTP connection, the connection (sending user names and passwords) itself uses port 21. But when you want to transmit/receive data, ports 1024 and above are used.

    Normally when using active FTP, only ports 21 and 20 should be used, but that isn't.

    When using passive FTP, the FTP server always use ports >1024.

    I checked that with a packet analyzer ...

    So, back to the ACL's ...

    When you want to make an ACL that only permits FTP traffic (I think this also counts for mail traffic, ...) you have to add a 'rule' to your ACL:

    access-list 100 permit tcp host eq 21
    access-list 100 permit tcp host eq 21 gt 1024

    Port 20 isn't often used, so you don't have to include that one in the ACL.

    With the second rule you're opening all ports above 1024 but they are unregisteren port numbers so other applications (using ports smaller than 1024) aren't permitted.

    Hope someone else can use this tip to! ;)


Sign In or Register to comment.