我需要有关如何设置防火墙规则以允许有状态FTP(活动FTP)的建议. [英] I need advice on how to go about setting firewall rules to allow stateful FTP(Active FTP).
问题描述
我目前正在参与创建基于Microsoft WFP的防火墙应用程序.它在Windows防火墙关闭的情况下运行.这种简单防火墙的主要功能是阻止异常情况下的未经请求的IP流量(允许某些服务器未经请求而被拒绝) 连接到客户端).我在ALE AUTH CONNECT和ALE AUTH ACCEPT层中插入了规则,以启用有状态筛选,该状态筛选允许来自已建立连接的流量.我有时在IP_PACKET_INBOUND和IP_PACKET_OUTBOUND层中插入了规则 这会覆盖所有传入和传出流量(例外情况).无论如何,该应用程序都在测试中,我们发现防火墙不允许活动FTP的数据连接成功.我不确定哪种最好的方法 这个问题.换个说法,你们中有人认为写一个标注驱动程序(我们正在努力避免开发工作)是值得的吗?或者WFP提供的静态过滤器就足够了吗?您的明智建议将不胜感激.
I am currently involved in creating a Microsoft WFP based firewall application. It runs with Windows Firewall turned off. The primary function of this simple firewall is to block unsolicited IP traffic with exceptions(some servers are allowed unsolicited connects to the client). I have rules inserted in the ALE AUTH CONNECT AND ALE AUTH ACCEPT layers to enable stateful filtering that allows traffic from established connections. I have rules in the IP_PACKET_INBOUND and IP_PACKET_OUTBOUND layers inserted sometimes that does a blanket block of all incoming and outgoing traffic with exceptions. Any way, the application is in testing and we found out the firewall does not allow the data connection of an active FTP to succeed. I am not sure what the best way of approaching this problem. To be rephrased, do any of you think this warrants writing a callout driver(a development effort we are trying to avoid) or do the WFP provided static filters suffice? Your sagely advice will be well appreciated.
谢谢
Sujay
推荐答案
我目前正在参与创建基于Microsoft WFP的防火墙应用程序.它在Windows防火墙关闭的情况下运行.这种简单防火墙的主要功能是阻止异常情况下的未经请求的IP流量(允许某些服务器未经请求而被拒绝) 连接到客户端).我在ALE AUTH CONNECT和ALE AUTH ACCEPT层中插入了规则,以启用有状态筛选,该状态筛选允许来自已建立连接的流量.我有时在IP_PACKET_INBOUND和IP_PACKET_OUTBOUND层中插入了规则 这会覆盖所有传入和传出流量(例外情况).无论如何,该应用程序都在测试中,我们发现防火墙不允许活动FTP的数据连接成功.我不确定哪种最好的方法 这个问题.换个说法,你们中有人认为写一个标注驱动程序(我们正在努力避免开发工作)是值得的吗?或者WFP提供的静态过滤器就足够了吗?您的明智建议将不胜感激.
I am currently involved in creating a Microsoft WFP based firewall application. It runs with Windows Firewall turned off. The primary function of this simple firewall is to block unsolicited IP traffic with exceptions(some servers are allowed unsolicited connects to the client). I have rules inserted in the ALE AUTH CONNECT AND ALE AUTH ACCEPT layers to enable stateful filtering that allows traffic from established connections. I have rules in the IP_PACKET_INBOUND and IP_PACKET_OUTBOUND layers inserted sometimes that does a blanket block of all incoming and outgoing traffic with exceptions. Any way, the application is in testing and we found out the firewall does not allow the data connection of an active FTP to succeed. I am not sure what the best way of approaching this problem. To be rephrased, do any of you think this warrants writing a callout driver(a development effort we are trying to avoid) or do the WFP provided static filters suffice? Your sagely advice will be well appreciated.
谢谢
Sujay
一种方法是允许%windir%\ system32 \ ftp.exe完全通过防火墙访问.
One way to do this would be to allow the %windir%\system32\ftp.exe full access through the firewall.
这篇关于我需要有关如何设置防火墙规则以允许有状态FTP(活动FTP)的建议.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
