Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1241
Views
10
Helpful
3
Replies

Application port allow in firewall (like ftp active and passive)

Go to solution
MrBeginner
Spotlight
Spotlight

‎01-14-2020 06:21 PM - edited ‎02-21-2020 09:50 PM

Dear All,

i a bit confuse in TCP connection initiation between some server and clients applications and how to allow the traffic in firewall.Because i confuse in session layer.

For Example:Server is listen port 3000 for any clients .

If the clients request to server ; destination port is 3000 and src port is random port (eg.2000), which port (destination port and src port) will server use to reply to client  ? Server use random high port ?

OR. Server reply to client with destination port as 2000 and random port is its src port ?

 

In firewall ,i only need to allow port 3000 uni direction traffic ? do i need to open bi-direction ?

 

Or do i need to allow all high port in firewall like passive FTP traffic ?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎01-14-2020 06:54 PM

firewalls are statefull, so in 99% of the cases you allow traffic from source to destination and you allow a certain destination port. so if you allow from source to destination on tcp/3000 then really you dont care much about the port the source would like its reponse back on. 

 

Firewall typically allow the return traffic as its statefull. although you can be more granular than that.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

3 Replies 3

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎01-14-2020 06:54 PM

firewalls are statefull, so in 99% of the cases you allow traffic from source to destination and you allow a certain destination port. so if you allow from source to destination on tcp/3000 then really you dont care much about the port the source would like its reponse back on. 

 

Firewall typically allow the return traffic as its statefull. although you can be more granular than that.

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Dennis Mink

‎01-14-2020 11:30 PM - edited ‎01-14-2020 11:32 PM

Hi,

Thank for your explain.

Please let me know below links scenario is different with your explanation? it is not Cisco ASA firewall example. Because after i reading below link i got the above post question.The below link are related with passive ftp only  ? Not related for other traffic ?

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Active_and_Passive_FTP_Overview_and_Configuration 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFeCAK 

 

0 Helpful

Go to solution
Panos Bouras
Level 1
Level 1
In response to MrBeginner

‎01-16-2020 12:35 PM

Hi,

 

Maybe this will help you

https://www.cisco.com/c/en/us/support/docs/content-networking/file-transfer-protocol-ftp/200194-ASA-9-x-Configure-FTP-TFTP-Services.html

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents