The FTP ALG restrictions will be set as follows:
• Enable the Allow client to use active mode FTP ALG option so clients can use both active
and passive modes.
• Disable the Allow server to use passive mode FTP ALG option. This is more secure for the
server as it will never receive passive mode data. The FTP ALG will handle all conversion if a
client connects using passive mode.
Assume the private IPv4 address of the FTP server is already defined in the address book and has
the name ftp-internal.
Command-Line Interface
A. Define the ALG:
gw-world:/> add ALG ALG_FTP ftp-inbound
AllowClientActive=Yes
AllowServerPassive=Yes
B. Define the Service:
gw-world:/> add Service ServiceTCPUDP ftp-inbound-service
DestinationPorts=21
Type=TCP
ALG=ftp-inbound
C. Define a SAT rule allowing connections to the public IP on port 21 and forwarded to the
FTP server:
gw-world:/> add IPRule Action=SAT
Service=ftp-inbound-service
SourceInterface=any
SourceNetwork=all-nets
DestinationInterface=core
DestinationNetwork=wan_ip
SATTranslate=DestinationIP
SATTranslateToIP=ftp-internal
Name=SAT-ftp-inbound
Chapter 6: Security Mechanisms
441
To Next Page
Loading...
