Manualshelf

HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
71727374757677787980
12.3.1 Active FTP
FTP ClientDirection of Connection
Initiated
FTP Server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher---------------->port 20 (data port)
On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data
connections out.
For example:
pass in quick proto tcp from any port > 1023 to server-ip port = 21 flags S keep state
pass out quick proto tcp from any port = 20 to any port > 1023 flags S keep state
block in from any to any
block out from any to any
12.3.2 Passive FTP
FTP clientDirection of connection
initiated
FTP server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher<----------------any port 1024 or higher (data port)
To use IPFilter to protect passive FTP sessions, you must limit the port range your system can use
for FTP access. For example, you can allocate ports 15001-15500 as FTP ports and only open up
that range of your firewall. In WU-FTPD, you use the passive portsdirective in the
/etc/ftpaccess configuration file to designate the ports, as follows:
passive ports server_ip 15001 15500
See the ftpaccess(4) manpage for details on WU-FTPD configuration.
Configure the following IPFilter rules to let the passive FTP traffic pass:
pass in quick proto tcp from any port > 1023 to server_ip port = 21 flags S keep state
pass in quick proto tcp from any port > 1023 to server_ip port 15000 ><15501 flags S keep state
block in from any to any
block out from any to any
12.4 Running an FTP client
As with FTP servers, there are two types of FTP client transfers, active and passive.
12.4.1 Active FTP
FTP ClientDirection of Connection
Initiated
FTP Server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher---------------->port 20 (data port)
To let an FTP client open an active FTP session, configure IPFilter rules to allow control connections
out and data connections in.
pass out quick proto tcp from client_ip port > 1023 to any port = 21 flags S keep state
pass in quick proto tcp from any port 20 to client_ip port > 1023 flags S keep state
block in from any to any
block out from any to any
12.4 Running an FTP client 79