Re: active ftp through firewall
From: Barry Margolin (barmar_at_alum.mit.edu)
Date: Wed, 19 May 2004 21:42:59 -0400
In article <Xns94EED7DF264E5jason.R.firstname.lastname@example.org>,
Jason LaRue <email@example.com> wrote:
> firstname.lastname@example.org (Pamela) wrote in
> > I am trying to send PORT command to a ftp server from the firewall
> > machine. I am sending the puclic ip address to the ftp server. Looks
> > like port command is successfull because I get status = 200 for it.
> > But after that ftp server unable to initiate data connection to that
> > port.
> > I am able to do data connection using passive connection to this ftp
> > server but not able to make active connection.
> Here's what going on:
> When you send the PORT command, the server tries to connect
> to your computer (as if you were running a server) on that
> PORT. However, your firewall is blocking the connection from
> the FTP server.
> FTP Server Your system
> 21 Control <-----------Step 1---------------OUT to Server
> <-------PORT xxxxx---------------OUT to Server
> 20 DATA------------------------------>Your system, port xxxx
> Incoming connection blocked by Firewall
> You must tell your firewall to allow the inbound connection.
> However, in their infinite wisdom, the creators of FTP made
> the active connection use a RANDOM port on your computer.
> Some FTP clients (such as filezilla) allow you to restrict
> the ports that it uses for the PORT command.
Firewalls are supposed to watch the traffic on the FTP command channel,
and notice when a PORT command goes through so that they can open up
that port for an inbound connection from the FTP server.
-- Barry Margolin, email@example.com Arlington, MA *** PLEASE post questions in newsgroups, not directly to me ***