Re: ftp-firewall

ttkmm · ‎01-10-2007

I have a router that I would like to config as a "ftp-firewall" That means I want to allow just ftp-trafic to-and-from a network to a ftp-server(10.1.1.5).

What would that config look like?

I have maybe done something wrong bacause when I take a "dir" or try to download a file from the ftp-server, it all hangs...

mrmozaffari · ‎01-10-2007

Hi

You have to define the access list and bind it to proper interface, like this .

Internet---- (ser0)[Router](fast0)--- ftp server

now we define the access list it should be extended access list :

conf t

access-list 100 permit tcp any host 10.1.1.5 eq ftp

access-list 100 permit tcp host 10.1.1.5 any eq ftp

access-list 100 deny ip any any

now we bind it to serial interface inbound.

interface s0

ip access-group 100 in

thats all

Best Regards Bahman Mozaffari.

m.sir · ‎01-10-2007

FTP can either be in passive or active mode. You configure a router differently depending on which mode you are using.

In active mode FTP server initiate data connection

In passive mode FTP the client initiates both connections to the server

Good explination of active & Passive

http://slacksite.com/other/ftp.html

If you are using FTP in passive mode ACL should be following

from CLIENT side

access-list 101 permit tcp any gt 1023 host 10.1.1.5 eq 21

access-list 101 deny ip any any

from SERVER side

access-list 102 permit tcp host 10.1.1.5 eq 21 any gt 1023

access-list 102 permit tcp host 10.1.1.5 gt 1023 any gt 1023

access-list 102 deny ip any any

m.