Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

More FTP issues

Status
Not open for further replies.
Grenage

Grenage

MIS
Jun 7, 2002
4,378
GB
We are using a NAT firewall on our network at the office, I have a ruleset that basically blocks everything incoming and outgoing that hasn't been specified. Things that have been let through for example are General browsing, SMTP and POP3 etc. The only problem we have encountered with it so far is when trying to access FTP servers.

HP website (as an example), when we click on a link to a file hosted on their FTP server it just hangs there, if I wanted to download one of the files I would have to bring down the ruleset for a second, for the handshake/start of download. Obviously I don't want to do this again as it sort defies the point of having one.

The 2 rules I have are are follows:

Pass any incoming to port 20/21 thats connecting to a port >1023
Pass any outgoing to port 20/21 thats connecting to port 20/21

Using IE as my browser it does use passive mode, although I have tried toggling between the two without success.

Any help would be appreciated, thanks.
 
Sort by date Sort by votes
To correct a typo:

Pass any incoming from port 20/21 thats connecting to a port >1023
Pass any outgoing from port 20/21 thats connecting to port 20/21

Thanks
 
Upvote 0 Downvote
Grenage,

Not sure of your firewall but as I read the rule, it is only slightly off.

In PASV mode, the client first makes the connection on port 21, issues the PASV command and the responds on the same port with an address and port number it will listen on. The client then attempts to open a connection on the port specified by the server.

Should the rule read
pass any outgoing from port 20/21 thats connecting to a port > 1023?

The Old Man
 
Upvote 0 Downvote
I see your logic. I have tried your suggestion and a few variations, with PASV do both the server and the client use ports of 1024 and above.

If this is the case then I wouldn't I have to enable any incoming and ougoing going connection over any port >1023 ?

Wouldn't that create a big hole in the firewall ?

I dont have a very firm grasp on port usage as you might have guessed :) Thanks again.
 
Upvote 0 Downvote
No. PASV mode is actually pretty secure and some companies require their users to use PASV mode because of this. The real difference between PASV and Active mode is in who makes the connection.

In Active mode:
[ol][li]client establishes connection ---> FTP server[/li]
[li]server responds <--- on same connection[/li]
[li]server transfers <--- to client on port 20[/li][/ol]
This necessitates opening port 20 INBOUND

In PASV mode:
[ol][li]client establishes connection ---> FTP server[/li]
[li]server responds <--- on same connection[/li]
[li]client initiates transfer ---> from server on random port[/li][/ol]
This necessitates opening high number ports but only for OUTBOUND connections.

I'm by no means an expert on this and if I've got any of it wrong, anyone reading can correct me. This is my understanding of how it works.

Hope that helps.
The Old Man
 
Upvote 0 Downvote
Thats for the post, very helpfull description. I will tru and setup some new rules around that.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bpafc
  • Locked
  • Question
FTP login delay
Replies
2
Views
147
bpafc
bpafc
DWheater
  • Locked
  • Question
FTP through Back to Back Firewalls
Replies
0
Views
97
DWheater
DWheater
Egghead2
  • Locked
  • Question
File Transfer Issue Using Active FTP - Port Command
Replies
1
Views
159
allworxguy
allworxguy
PCHomepage
  • Locked
  • Question
Accessing FTP As Explorer Location
Replies
5
Views
135
PCHomepage
PCHomepage
Boxer77
  • Locked
  • Question
Random and bizarre connectivity issues
Replies
1
Views
80
allworxguy
allworxguy

Part and Inventory Search

Sponsor

Back
Top