Re: FTP port usage control
From: Alun Jones (alun@texis.com)
Date: 10/04/02
- Next message: Phil Frisbie, Jr.: "Re: Question about UDP ports"
- Previous message: Alun Jones: "Re: Generation of certificate using openssl"
- In reply to: Theodore Hahn: "FTP port usage control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: alun@texis.com (Alun Jones) Date: Fri, 04 Oct 2002 14:11:21 GMT
In article <4be701c26b66$8f1db440$2ae2c90a@phx.gbl>, "Theodore Hahn"
<starfish@hahnalei.net> wrote:
>I would like to restrict the variable ports used by FTP to
>one or a few specific ports above 1024. I cannot find
>where to lock down the variable data port usage as opposed
>to the control port. I only need to service one person
>accessing the FTP server at one time. I do not want to
>open up my firewall to a vast range of port
>possibilities.
Actually, if you don't open up a few ports, then you'll have trouble. Every
TCP socket that gets closed gracefully (and that's how FTP indicates the
successful end of a data transfer or file listing) remains in the "TIME_WAIT"
state for a period equal to 2*MSL (Maximum Segment Lifetime) - four minutes.
A compliant FTP client will use, as its local port, the same port number as
its control connection is bound to, and will then connect to the port (and
address) that is supplied in response to the PASV command. Obviously, if you
only allow one port through your firewall, then you will have to wait four
minutes after the end of the first transfer before you can safely initiate the
second transfer. If you allow only two ports, then you will have to wait
until four minutes after the end of the first transfer before you can start
the third transfer.
So, if your clients are using the PASV command correctly, you will have to
open up a relatively wide range of ports.
It may be better, if you're looking to avoid port hijacking, to set the range
allocated to ephemeral ports to be something other than the default. There is
a registry setting to do this. Other third party FTP servers, our own
included, are able to be configured to choose their own range of ports for
PASV responses, separate from the system's usual range of ephemeral ports.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.
- Next message: Phil Frisbie, Jr.: "Re: Question about UDP ports"
- Previous message: Alun Jones: "Re: Generation of certificate using openssl"
- In reply to: Theodore Hahn: "FTP port usage control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
