Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP Port set up

Status
Not open for further replies.
Hondy

Hondy

Technical User
Mar 3, 2003
864
GB
I've been reading up on FTP ports and I get it, but also i don't...Here's how I understand it...

Active
Client:randomport > Server:21
Server:20 > Client:randomport
* this means that a firewall has to be ready to allow all dynamic ports to be open because it never knows which one from 1024>65535 it might be.

So you configure it to do passive...
Client:randomport > Server:21
Server responds by saying "client, i'm going to use a port but it is in this range 6000-6010, i'm going to use 6001 for data"
Client:randomport2 > Server:6001
* this means you only need open 11 ports instead of 60,000

Ok I get this, BUT....

When I use an FTP site that is behind a firewall how the heck does it work, when I'm also behind a firewall that only allows outbound on specific port?

So i'm allow port 21 out, the server connects and says I'll connect to your port from port 20. My firewall will block. Or if it has a PASV dynamic port range a similar situation is there, I connect on port 21, the server says come back but connect on 6001. This means I must allow 6001 outbound (which also isn't the case)

So try and connect to a well known FTP site and use netstat -an to see what ports have established connection, it will be 21 only at a rough guess so whats all this "ftp-data port" and PASV range setting and why won't it work without it on mine???

Anyone care to explain? I thought FTP just used port 21 but apparently not... but why does it work?


 
Sort by date Sort by votes
This site has a pretty good explanation: [URL unfurl="true"]http://slacksite.com/other/ftp.html[/url]

Notice the direction of traffic when the data portion of the conversation is established. In an active FTP the conversation is started by the server and goes to some port on the client (not the same as the command port). Here is where the problem lies. The firewall won't know what to do with the packet when it recieves it. An application layer firewall can listen to the conversation between the client and the server and open an inbound translation on the fly when the client states what port it will be listening on when the data starts being delivered.

On the passive FTP, port 21 is never used. The client and server agree on a high-numbered data port to use, then the client starts the conversation on that port. Most firewalls have an easy time dealing with this since they do not have to understand an FTP application's conversation. The problem is that most firewall administrators don't really want to allow users to freely access all port above 1024. Once again an application level firewall can mitigate this.

All mainstream, commercial firewalls will provide the application level features necessary to make these connections possible.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
521
DrB0b
DrB0b
Scparks
  • Locked
  • Question
Trouble with setting up a SMTP Relay to Office 365
Replies
0
Views
164
Scparks
Scparks
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
208
RRankin355
RRankin355
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
244
technome
technome
DrB0b
  • Locked
  • Question
FTP Issues
Replies
9
Views
402
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top