HP-UX IPFilter Version 17 Administrator's Guide
pass out quick proto tcp from client_ip port > 1023 to any port = 21 flags S keep state
pass in quick proto tcp from any port 20 to client_ip port > 1023 flags S keep state
block in from any to any
block out from any to any
NOTE: FTP Proxy is not supported by HP. For a complete list of unsupported utilities and
commands, see “Unsupported Utilities” (page 128).
12.4.2 Passive FTP
FTP ClientDirection of Connection
Initiated
FTP Server
any port 1024 or higher<----------------port 21 (control port)
any port 1024 or higher<----------------any port 1024 or higher (data port)
To let an FTP client open a passive FTP session, configure IPFilter to allow both the control and
data connections out.
Use the following ruleset for client-side, passive FTP:
pass out quick proto tcp from client_ip port > 1023 to any port = 21 flags S keep state
pass out quick proto tcp from client_ip port > 1023 to any port > 1023 flags S keep state
block in from any to any
block out from any to any
TIP: For stronger security, configure IPFilter to allow only active FTP connections from FTP
servers.
12.4 Running an FTP Client 111