Re: active ftp through firewall

From: Barry Margolin (barmar_at_alum.mit.edu)
Date: 05/20/04 

Date: Wed, 19 May 2004 21:42:59 -0400

In article <Xns94EED7DF264E5jason.R.larue@216.77.188.18>,
 Jason LaRue <aqdqmqiqnq@iqnteluser.no-ip.info> wrote:

> dey_indrani@hotmail.com (Pamela) wrote in
> news:2f097839.0405191110.7c4d5b8c@posting.google.com:
>
> > I am trying to send PORT command to a ftp server from the firewall
> > machine. I am sending the puclic ip address to the ftp server. Looks
> > like port command is successfull because I get status = 200 for it.
> > But after that ftp server unable to initiate data connection to that
> > port.
> >
> > I am able to do data connection using passive connection to this ftp
> > server but not able to make active connection.
>
> Here's what going on:
>
> When you send the PORT command, the server tries to connect
> to your computer (as if you were running a server) on that
> PORT. However, your firewall is blocking the connection from
> the FTP server.
>
> FTP Server Your system
>
> 21 Control <-----------Step 1---------------OUT to Server
> <-------PORT xxxxx---------------OUT to Server
> 20 DATA------------------------------>Your system, port xxxx
> ^^^^^^
> Incoming connection blocked by Firewall
>
> You must tell your firewall to allow the inbound connection.
> However, in their infinite wisdom, the creators of FTP made
> the active connection use a RANDOM port on your computer.
> Some FTP clients (such as filezilla) allow you to restrict
> the ports that it uses for the PORT command.

Firewalls are supposed to watch the traffic on the FTP command channel,
and notice when a PORT command goes through so that they can open up
that port for an inbound connection from the FTP server. 

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Relevant Pages

  • Re: IPSwitch, Inc. WS_FTP Server
    ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
    (Bugtraq)
  • Re: Accessing my home FTP server through a wireless router
    ... > printers and internet connection under WinXP, ... > from a DHCP server, so I use a redirector, DNS2GO. ... > I figured out how to open the port to access my webserver and it works fine. ... I really need to remotely access my FTP server from work! ...
    (microsoft.public.inetserver.iis.security)
  • Re: active ftp through firewall
    ... >> I am trying to send PORT command to a ftp server from the firewall ... I am sending the puclic ip address to the ftp server. ... >> I am able to do data connection using passive connection to this ftp ...
    (comp.security.misc)
  • Re: active ftp through firewall
    ... >> I am trying to send PORT command to a ftp server from the firewall ... I am sending the puclic ip address to the ftp server. ... >> I am able to do data connection using passive connection to this ftp ...
    (comp.security.unix)
  • Re: What is the trick to get Windows XP firewall to stay on (after a reboot)?
    ... >>a connection on the port he specified. ... > connection, ... > client sending a PORT command that it has chosen to send. ... Solaris system on my local subnet providing FTP service (server). ...
    (microsoft.public.security)