I would like know, what I must enter to do an optimal ftp packets filter rule, between the internal network and the external network in passive ftp mode.
In PASV mode, the client has an FTP control channel (TCP port 21) to a server. That server, in turn, sets up a control channel to the second server. Baaed on the commands given, the second server NORMALLY opens a data channel (TCP port 20) back to the first server.
If both servers are on the external network, the only rule you need is for the internal network to start a control channel to the external.
If the first server is internal and the second is external, then you need control out and data in.
If the first is external and the second is internal, you have control channels both ways and data out.
I think that is it, without opening Steven's excellent book, "TCP/IP Illistrated" Vol 1.
