Re: Questions about passive FTP, firewalls and Routers
From: Don Kelloway (dkelloway_at_commodon.com)
Date: Mon, 12 Jul 2004 17:16:23 GMT
"Sergej Balon" <firstname.lastname@example.org> wrote in message
> I have read some explanations about the differences of active vs.
passive ftp, but there are still some
> open questions:
> 1.) If a connection from the ftp client to the ftp server is in active
or in passive mode is
> a decision of the client - not of the server. Is this correct?
> 2.) Assume I type (as a client) at the command line:
> ftp ftp.foo.com
> How do I specify that I want to handle this (my ftp session) in
passive mode rather than in active?
> 3.) Assume there is a router and a firewall at server side.
> For active ftp I have to open
> - Port 21 for incoming TCP request in the firewall
> - Port 20 for outgoing TCP request in the firewall
> - Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34)
in the router configuration
> Which settings do I have to setup for passive ftp?
> As far as I know the client could initiiate the data channel to a
server port from a range e.g. 1500,...,1700
> Do I really have to setup NAT port forwarding for 200 ports ?
> 4.) Which port range is normally used for data channels ftp servers in
> 5.) Assume there is a firewall at the client side.
> For active ftp I (as a client) have to open
> - remote Port 21 for outgoing TCP requests
> - remote Port 20 for incoming TCP requests
> If I use passive ftp I have to open
> - all (!) remote Ports for outgoing requests because I do not know in
advance which remote port range
> the ftp servers offers me to communicate for the data channel. Is this
> 6.) If you look at all ftp connections worldwide. Which percentage is
handled by active ftp
> and which percentage by passive ftp mode?
> Thanky you for your help
1. Yes. Implementing Normal (Active) or Passive FTP is the result of the
client issuing either the PORT or PASV command respectively. When using
FTP via DOS it will always be Normal. Early versions of IE also
implemented FTP Normal, but I believe it wasn't until IE5 that FTP was
then implemented as Passive.
2. After the client establishes the Control channel to the FTP server
(to TCP port 21). The client will then either issue the PORT or PASV
command depending upon the client's configuration. If it's the PORT
command, the purpose is to inform the FTP server to create/establish the
Data channel to the client. If it's the PASV command, the purpose is to
ask the FTP server to what IP and port the client should connect to in
order to establish the Data channel.
3. The ports associated with the Data channel in PASV FTP are often
between 1024-5000. However that isn't always the case. If you want to
allow PASV FTP to the FTP server, you'll have to allow these ports
inbound, but only as the result of an already established FTP Control
channel and to/from the same IP involved. Fortunately many firewalls
are FTP aware and know what needs to be done to allow either method
safely through. Are you sure that you're not trying to do something
4. See #3
5. See #3
6. Unknown, but I would guesstimate that because a majority of people
use IE as their method of browsing and acquiring files that it's going
to be PASV FTP.
Lastly here's a couple of links to articles on the subject. One of
which I contributed several years ago on the subject.
-- Best regards, from Don Kelloway of Commodon Communications Visit http://www.commodon.com to learn about the "Threats to Your Security on the Internet".