Welcome to ISAserver.org

DMZ Passive Ftp - all ports unfiltered?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> DMZ >> DMZ Passive Ftp - all ports unfiltered?

Page: [1]

Message

<< Older Topic Newer Topic >>

DMZ Passive Ftp - all ports unfiltered? - 24.Mar.2005 6:45:00 PM

Kpeter

Posts: 1
Joined: 24.Mar.2005
Status: offline

Hi!

I have a FTP server in my DMZ.
Only passive ftp is allowed.
Theoretically i need to use these rules:

1. FTP control port: remote any, local fixed TCP 21, inbound.
2. FTP data port: remote any, local dynamic(!), inbound.

Passive ftp works well, but if i run a portscan against the server (from the Internet) i can connect to ALL it's ports! Eg. this ftp server has a special application listening on port TCP 7273, and nmap lists it as OPEN.

Is there any way to allow using packet filters only the dynamic range (1025-5000)?

Post #: 1

Featured Links*

RE: DMZ Passive Ftp - all ports unfiltered? - 24.Mar.2005 8:37:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Kpeter,

as far as I know, no. Personnaly I would only allow active mode FTP. [Big Grin]

For more info, check out http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to Kpeter)

Post #: 2

RE: DMZ Passive Ftp - all ports unfiltered? - 22.Aug.2005 4:31:00 AM

kwyap

Posts: 39
Joined: 8.Jun.2004
From: Malaysia
Status: offline

Hi Kpeter,

I'm having problem to publish my FTP server in DMZ. Can you please have a look on the topic i have posted? Microsoft ISA Server Message Boards + ISA Server 2000 Firewall + DMZ + ISA Thrihomed routing

Much appreciate for your suggestion.

(in reply to Kpeter)

Post #: 3