Filter
Top Products
Packet Filters 8-13
Step 2 - The client opens a control channel
To initiate an FTP session, the client opens a control channel on
the well-known FTP port 21. This means any client on the local
network must be able to send packets to TCP port 21 on any
external host.
set filter ftp.out 1 permit 192.77.203.0/24 0.0.0.0/0 tcp dst eq 21
Step 3 - The host must reply
Allow packets coming from port 21 on any external host. To
prevent intruders from using this opening, restrict the access to
connections “established” by outgoing clients.
set filter ftp.in 1 permit 0.0.0.0/0 192.77.203.0/24 tcp src eq 21
established
Step 4 - The host opens a data transfer channel
Once a file transfer has been set up on the control channel, the
host initiates a data transfer connection from port 20. However,
we don’t know what the destination port will be beforehand. To
permit this connection, we would have to permit any external
host initiating a connection from port 20 to connect to any port
on any host on the internal network. Unfortunately, this also
leaves the network open to any intruder initiating a connection
on port 20. Since most standard services that are vulnerable to
attack are below port 1023. We can block most of these attacks
by forcing the host to connect to a port above 1023.
set filter ftp.in 2 permit 0.0.0.0/0 192.77.203.0/24 tcp src eq 20 dst gt
1023
Note: Since the ports above 1023 are still vulnerable, you
should add additional rules that deny packets to any services
you want to protect. These rules should be placed before the rule
given.
Step 5 - The client must reply
The client must use the data transfer channel to send acknowl-
edgment packets back to the FTP host.
set filter ftp.out 2 permit 192.77.203.0/24 0.0.0.0/0 tcp src gt 1023
dest eq 20 established