Step 2 - The client opens a control channel
To initiate an FTP session, the client opens a control channel on the
set filter ftp.out 1 permit 192.77.203.0/24 0.0.0.0/0 tcp dst eq 21
Step 3 - The host must reply
Allow packets coming from port 21 on any external host. To prevent intruders from using this opening, restrict the access to connections “established” by outgoing clients.
set filter ftp.in 1 permit 0.0.0.0/0 192.77.203.0/24 tcp src eq 21 established
Step 4 - The host opens a data transfer channel
Once a file transfer has been set up on the control channel, the host initiates a data transfer connection from port 20. However, we don’t know what the destination port will be beforehand. To permit this connection, we would have to permit any external host initiating a connection from port 20 to connect to any port on any host on the internal network. Unfortunately, this also leaves the network open to any intruder initiating a connection on port 20. Since most standard services that are vulnerable to attack are below port 1023. We can block most of these attacks by forcing the host to connect to a port above 1023.
set filter ftp.in 2 permit 0.0.0.0/0 192.77.203.0/24 tcp src eq 20 dst gt 1023
Note: Since the ports above 1023 are still vulnerable, you should add additional rules that deny packets to any services you want to protect. These rules should be placed before the rule given.
Step 5 - The client must reply
The client must use the data transfer channel to send acknowl- edgment packets back to the FTP host.
set filter ftp.out 2 permit 192.77.203.0/24 0.0.0.0/0 tcp src gt 1023 dest eq 20 established
