Dealing with Passive Mode FTP

Dealing with Passive Mode FTP

Problem

You want to construct an ACL that can identify passive mode FTP sessions.

Solution

This example shows how to filter a Passive FTP control and data sessions:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp
Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023
Router1(config)#access-list 144 deny ip any any
Router1(config)#interface Serial0/0.1
Router1(config-subif)#ip access-group 144 in
Router1(config-subif)#exit
Router1(config)#end
Router1#

Discussion

In Recipe 19.6, we briefly reviewed the traditional way that FTP works. However, there is another subtle variation on this process, which is commonly called Passive FTP. The user connects to the server on port 21, exactly as before. But in the Passive FTP case, the client software issues the command PASV, which instructs the server to listen on a new non-default data port, and wait for a connection. The server selects a new port, which it tells to the client. The server then opens this port and waits for a connection. The client device initiates a new TCP connection to this temporary port number, and uses this connection to transfer its data.

This may sound like an unusual way of doing things, and it probably is. However, this is actually the default mode for many web browsers, including Internet Explorer and Netscape when they do FTP file transfers. This makes passive FTP the most common FTP mode for many networks. The problem is that if you want to control this traffic using an ACL of any kind, you no longer know either the source or destination TCP port numbers. For example, if you need to restrict some traffic, but ensure that passive FTP is allowed, you will need an ACL that can somehow permit the temporary port numbers. In Chapter 27, we will demonstrate a filtering method in which the router uses CBAC to learn about the new port by watching the control session of the FTP session.

This example takes a simpler approach and uses an extended ACL to deal with passive FTP. The trouble with this ACL is that it opens all TCP ports from 1024 and above. Clearly, this is not desirable on a router facing the Internet, or some other unfriendly network. The problem is that passive FTP can pick a different source and destination port each time a web browser connects to it.

Although our example permits passive FTP to pass through, it opens up over 64,000 TCP ports in the process. Obviously, this is not preferred method of permitting passive FTP. In Chapter 27, we discuss a much more secure method of allowing passive FTP through your router.

See Also