Re: Why do i need to use passive transfers?

From: Bargepole (jbhur@hotmail.com)
Date: 12/17/01

  • Next message: Nou Dadoun: "Researching VoIP Security / Looking for IPSec Toolkits for embedded systems" 

    From: "Bargepole" <jbhur@hotmail.com>
Date: Mon, 17 Dec 2001 18:26:12 GMT

    When an FTP server operates in PORT mode ("normal"), it tries to establish a
    data connection from its TCP port 20 to a port specified by the FTP client
    in the PORT command, usually >1023. The FTP server in PORT mode does not try
    to connect to the client's TCP port 20, it connects from its own TCP port 20
    to a client's specified ephemeral port.

    The reason why PASV mode works so often behind a firewall is that the
    firewall is configured to allow any initiating outbound connections. An FTP
    client connecting to an FTP server in PASV mode establishes both the control
    and data connections, while a server operating in PORT mode needs to
    establish the data connection with the client. It's that attempt, from the
    server to client to open a data connection, that is often denied.

    "janus" <janus_REMOVE_@netcourrier.fr> wrote in message
    news:3c1e3456$0$24743$7a628cd7@news.club-internet.fr...
    > in normal mode, when you have to download a file, you own PC becomes a
    > server and is waiting for connection from the FTP server to your local 20
    > port. Thus most firewall will forbid incoming connexion on a "privileged"
    > port number (you are not running a FTP server). In PASV mode, it is your
    FTP
    > client that connects to the FTP server using any port other 1024
    (outgoing),
    > so it can be allowed to pass through firewall.
    >
    > hope i was clear.... ;o)
    >
    > regards
    >
    > "Rickard Maltesson" <rickard@it.rmgroup.se> a écrit dans le message news:
    > 9vk9t1$kqj$1@yggdrasil.utfors.se...
    > > Hi, i have a watchguard firewall and a ftp server, when i try toaccess
    the
    > > ftp server without passive transfers it will not connect, does anyone
    know
    > > why i need to use passive transfers and what to do about it.
    > >
    > > Regards
    > > Rickard M
    > >
    > >
    >
    >

    Relevant Pages

    • Re: Hacked? External address knocks on internal private address...
      ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ...
      (comp.security.firewalls)
    • [NEWS] Multiple Firewalls Ruleset Bypass through FTP Revisited
      ... a new attack method affected most leading firewall ... connect to a restrictive port. ... resend control strings supplied by the attacker that a vulnerable firewall ... Connect to FTP server and log on ...
      (Securiteam)
    • Re: SP2 Windows firewall and FTP dilemma
      ... The firewall does not block all inbound traffic - it blocks unsolicited ... If it blocked all traffic your Internet Explorer (port 80) ... Since you are connecting to the FTP server, ... I have turned on Windows ...
      (microsoft.public.windowsxp.network_web)
    • Re: Why do i need to use passive transfers?
      ... > Hi, i have a watchguard firewall and a ftp server, when i try toaccess the ... > why i need to use passive transfers and what to do about it. ... Often it also depends if the control connection uses port 21. ...
      (comp.security.firewalls)
    • Re: Why do i need to use passive transfers?
      ... >> Hi, i have a watchguard firewall and a ftp server, when i try toaccess ... >> why i need to use passive transfers and what to do about it. ... > Often it also depends if the control connection uses port 21. ...
      (comp.security.firewalls)