[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Passive FTP
Since there have been several inaccurate postings on this list about
how ftp (especially passive) ftp works, I thought I'd clear up the
confusion.
In ftp, there are 2 connections - a control connection, which lasts
the entire session, and a data connection - a new one of which is created
with each data transfer (be it getting a file or listing a directory
or whatever).
In the following discussion, R1,2,3 etc represent random port numbers
usually >= 1024; C is the client, and S is the server.
A command connection is initiated by the client:
c:R1 -> S:21
Then if the client is is active mode, a data connection is initiated by:
client picks random port number R2; tells the server what that number is
using the 'PORT C:R2' command, then the *server* initiates the data
connection:
S:20 -> C:R2
In passive mode, the client sends the sever a 'PASV' command; the server
listens on a random port R2, responds with a port number R2, then the *client* 
establishes the connection:
C:R3 -> S:R2
'Old style' command-line ftp programs tend to default to, or only support,
active mode. Newer GUI-based stuff, eg Netscape, tend to use passive
by default.
active is a nightmare for firewall administrators to support clients:
to make active ftp work, your firewall has to either:
* allow conections from any remote machine to *any* port >= 1024 on any
local machine.
* or be clever enough to do layer 7 filtering - ie analyse the contents of
ftp command packets, extract out 'PORT' comands, and temporarily open
windows in the firwall.
Similarly, passive is a nightmare for firewall administrators to support
servers; they have to allow incoming connections from any port to any
port >= 1024 on the server, or have a clever layer-7 filter.
Here endeth the lesson.
* Dave Mitchell, Operations Manager,
* Fretwell-Downing Facilities Ltd, UK.  Dave.Mitchell [at] fdgroup.com
* Tel: +44 114 281 6113.                The usual disclaimers....
*
* Standards (n). Battle insignia or tribal totems
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 
  GNU the choice of a complete generation.