Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
101102103104105106107108109110
WU-FTPD 2.6.1 is a core product on HP-UX 11i v2.
12.3 Running an FTP Server
This section describes active FTP and passive FTP server setup.
12.3.1 Active FTP
FTP ClientDirection of Connection
Initiated
FTP Server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher---------------->port 20 (data port)
On an FTP server using active FTP, configure IPFilter rules to allow control connections in and
data connections out.
For example:
pass in quick proto tcp from any port > 1023 to server-ip port = 21 flags S keep state
pass out quick proto tcp from any port = 20 to any port > 1023 flags S keep state
block in from any to any
block out from any to any
12.3.2 Passive FTP
FTP ClientDirection of Connection
Initiated
FTP Server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher<----------------any port 1024 or higher (data port)
To use IPFilter to protect passive FTP sessions, you must limit the port range your system can
use for FTP access. For example, you can allocate ports 15001-15500 as FTP ports and only open
up that range of your firewall. In WU-FTPD, you use the passive portsdirective in the
/etc/ftpaccess configuration file to designate the ports, as follows:
passive ports server_ip 15001 15500
See the ftpaccess(4) manpage for details on WU-FTPD configuration.
Configure the following IPFilter rules to let the passive FTP traffic pass:
pass in quick proto tcp from any port > 1023 to server_ip port = 21 flags S keep state
pass in quick proto tcp from any port > 1023 to server_ip port 15000 ><15501 flags S keep state
block in from any to any
block out from any to any
12.4 Running an FTP Client
As with FTP servers, there are two types of FTP client transfers, active and passive.
12.4.1 Active FTP
FTP ClientDirection of Connection
Initiated
FTP Server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher---------------->port 20 (data port)
To let an FTP client open an active FTP session, configure IPFilter rules to allow control
connections out and data connections in.
110 HP-UX IPFilter and FTP