07-22-2009 11:57 PM - edited 03-11-2019 08:58 AM
Hi all
I am trying to establish a capture and I want to exclude passive FTP traffic from the capture. The problem is that in passive ftp the control session is well defined and there is no problem excluding it from the capture.But the data session is allowed by the full state firewall traffic inspection, meaning that the pair of ports used for the data session are dinamically established during the control session connection. Is there a way to exclude the whole ftp traffic from the capture?
I am using for example the following access list in the capture:
access-list CAP-LIST extended deny tcp host 10.10.0.1 host 10.10.10.1 eq ftp
access-list CAP-LIST extended permit ip any any
capture mycap access-list CAP-LIST interface OUTSIDE
Thanks a lot for your help.
Jose
07-23-2009 04:36 AM
Think about ftp passive. Here is how it works:
- First connection from the the client to server is from client random high port to server tcp port 21, command & control port,
- Second connection from the client to server will be from client random high-port to server random high port specified by the server. In this case, you are talking about > 1024 ports on both client and server.
The access-list will look something like this:
access-list 101 deny tcp host 129.174.1.1 host 4.2.2.2 eq ftp
access-list 101 deny tcp host 129.174.1.1 host 4.2.2.2 gt 1023
access-list 101 permit ip any any
Problem with this is that you may miss other traffics that also use high tcp ports such as sqlnet, MSsql, MySQL and terminal service, to name a few.
This is a tcpdump on how passive work. Notice the following lines:
12:31:38.247419 129.174.1.1.35640 > 4.2.2.2.2303: . ack 69 win 1460
12:31:38.247684 129.174.1.1.35640 > 4.2.2.2.2303: F 1:1(0) ack 70 win 1460
This tell you that the data connection port is randomized due the nature of passive ftp. Complete tcpdump of passive output below:
[Expert@cp-ngx]tcpdump -nnni eth0 host 129.174.1.1
12:31:30.426628 129.174.1.1.35639 > 4.2.2.2.21: S 2862062823:2862062823(0) win 5840
12:31:30.428910 4.2.2.2.21 > 129.174.1.1.35639: S 3767689974:3767689974(0) ack 2862062824 win 5792
12:31:30.429130 129.174.1.1.35639 > 4.2.2.2.21: . ack 1 win 1460
12:31:30.434889 4.2.2.2.21 > 129.174.1.1.35639: P 1:21(20) ack 1 win 1448
12:31:30.435128 129.174.1.1.35639 > 4.2.2.2.21: . ack 21 win 1460
12:31:30.435268 129.174.1.1.35639 > 4.2.2.2.21: P 1:14(13) ack 21 win 1460
12:31:30.435886 4.2.2.2.21 > 129.174.1.1.35639: . ack 14 win 1448
12:31:38.247203 4.2.2.2.2303 > 129.174.1.1.35640: P 1:69(68) ack 1 win 1448
12:31:38.247284 4.2.2.2.21 > 129.174.1.1.35639: P 361:385(24) ack 100 win 1448
12:31:38.247335 4.2.2.2.2303 > 129.174.1.1.35640: F 69:69(0) ack 1 win 1448
12:31:38.247419 129.174.1.1.35640 > 4.2.2.2.2303: . ack 69 win 1460
12:31:38.247684 129.174.1.1.35640 > 4.2.2.2.2303: F 1:1(0) ack 70 win 1460
12:31:38.247747 129.174.1.1.35639 > 4.2.2.2.21: . ack 385 win 1460
12:31:38.248375 4.2.2.2.2303 > 129.174.1.1.35640: . ack 2 win 1448
109 packets received by filter
0 packets dropped by kernel
[Expert@cp-ngx]#
07-23-2009 09:20 AM
Thanks for your answer.
I understand how passive ftp works.
Let me explain my poblem...
I am trying to capture all the traffic EXCEPT the ftp traffic .
Since passive ftp data traffic is allowed through ftp inspection once the control session is established I am not worried capturing it in order to create my access lists.
BUT when I create a long term capture (in order to verify which traffic I should permit through access-lists) and exclude the traffic on port 21 , the ftp data traffic still shows up since the from and to ports for data communication are decided during the control session connection.
My question is: Is there a way to exclude FTP data traffic from the capture
when using passive ftp????
Thanks again
Jose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide