Re: Why does passive FTP work behind router/firewall?
From: Daniel Crichton (news_at_worldofspack.co.uk)
Date: 02/20/04
- Next message: Larry: "Re: Why choose Kerio instead of ZA?"
- Previous message: Duane Arnold: "Re: Why choose Kerio instead of ZA?"
- In reply to: Georges Heinesch: "Why does passive FTP work behind router/firewall?"
- Next in thread: Georges Heinesch: "Re: Why does passive FTP work behind router/firewall?"
- Reply: Georges Heinesch: "Re: Why does passive FTP work behind router/firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Feb 2004 10:03:24 -0000
Georges Heinesch <void@void.com> wrote:
> passive mode: here comes the interesting part. To make passive mode
> possible, the FTP server (1.) must know the global IP of the router
> and (2.) must have a defined port pool (must be set in the
> configuration of the FTP server). On top of this, the router has to
> be configured to forward this defined port pool to the computer where
> the FTP server is running.
>
> I my case, neither the router, nor the FTP server is configured in any
> respect. Hence, passive mode should _not_ work. However it does.
I've read all the replies here, and not spotted a clear reply to you.
In passive FTP the client sends the PASV command, and the server will
respond with it's own IP and a port number that it is listening on for an
incoming connection from the client IP. This tells the client which port to
then connect to for transferring data. Some (or is it many?)
routers/firewalls will intercept the return data and pull out the port
number and IP, forward a port to map to that internal IP and port, and
rewrite the outgoing response with the public IP of the router and the port
it has opened for forwarding. That's why the passive connection works
without having to define a port range and forward that to your FTP server in
this case. My own cheap DSL router does exactly this, as do most of the
routers and firewalls used by my friends and the company I work for.
As the data defining the port to open is coming from the server inside your
router, and the FTP server should only allocate a port that is not already
in use by another service, this is pretty safe. There is always a risk
allowing an incoming connection, but as you are running FTP you've already
allowed the initial port 21 (and port 20) connection. For someone to be able
to get your router to open a port for another service (eg. 445), it would
require them to be able to cause the FTP server to send back that port
number in it's PASV response - at this point your FTP server software has
been compromised, so either the software has a vulnerability or the hacker
has already found a way into your server.
The automatic opening of ports for PASV will only work for "normal" FTP - it
won't for instance work in cases where the packets between the server and
client are encrypted (FTP with SSL for instance), as the router will not be
able to look at the data in the packets to pick up the port the FTP server
is going to listen on.
Dan
- Next message: Larry: "Re: Why choose Kerio instead of ZA?"
- Previous message: Duane Arnold: "Re: Why choose Kerio instead of ZA?"
- In reply to: Georges Heinesch: "Why does passive FTP work behind router/firewall?"
- Next in thread: Georges Heinesch: "Re: Why does passive FTP work behind router/firewall?"
- Reply: Georges Heinesch: "Re: Why does passive FTP work behind router/firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
