FTPing from the inside only....

bmckinley · ‎10-11-2002

I'm wanting to enable the ability to FTP through our firewall but only if the request was made from the inside.

The previous admin removed all FTP options because he said that's how the website got hacked. Now that he is gone I'd like to allow it again but only on the inside, this way we can update our off site website instead of driving to it with a CD of changes, also I can't even download some necessary files from the internet. How do I set up this in our PIX 501?

Thanks.

steve.barlow · ‎10-11-2002

Very easy. Have your outside acl not permit FTP inbound (just don't mention ftp at all in your acl). Then make sure the command "fixup protocol ftp 21" is there and that's it. The PIX will dynamically open up the outside to allow return ftp (active and passive) back in but won't allow someone on the outside to start the connection. The PIX does this dynamically by monitoring the FTP conversation, a router would need acl rules to allow this but the PIX does it on the fly. If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

By default the PIX allows all traffic from a higher security interface (ie the inside) to a lower security interface (ie the outside) but doesn't allow lower to higher with an acl and static command. If you don't create a static and acl, the outside can't start a ftp in, only reply to your outbound ftp sessions.

Note: "The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string."

Hope it helps.

Steve