Date: Mon, 9 Jul 2001 04:36:46 -0700 (PDT) From: "tjk@tksoft.com" <tjk@tksoft.com> To: ahl@austclear.com.au (Tony Landells) Cc: tjk@tksoft.com (tjk@tksoft.com), ascheepe@surf.iae.nl (Axel Scheepers), freebsd-security@FreeBSD.ORG Subject: Re: Firewall and ftp service Message-ID: <200107091136.EAA25037@smtp3.tksoft.com> In-Reply-To: <no.id> from "Tony Landells" at Jul 09, 2001 09:28:28 AM
next in thread | previous in thread | raw e-mail | index | archive | help
Tony, You are right. The server connects to a port opened by the client, and uses port 20 for its local port. Can't believe I was confused like that. Goes to tell, I guess, how easy it is to screw up. Thanks for the correction. So, the firewall rule should allow any connection from port 20 on the external network, to any port > 1024 on any potential ftp client on the internal network. Troy > > Troy, > > I'm sorry, but your description of normal (active) mode FTP is incorrect. > tjk@tksoft.com said: > > I wanted to point out that port 20 is for ftp data and port 21 is for > > ftp commands. > > > When an ftp connection is made, the client connects to the server at > > port 21. All communications occur on that channel. > > So far, so good. > > > When the server needs to send data to the client, it opens a > > connection to port 20 on the client. When it makes the connection, it > > allocates a local port > 1024 for its local port. > > No. > > When the client requests data from the server, the CLIENT allocates > a random port number and tells the SERVER what it is, and then the > SERVER opens a connection FROM port 20 to that random port on the > client. > > > When a client requests passive ftp, the server opens a random port > > > 1024 for listening. The client then opens a connection to that port. > > And then we're back on track again. > > > With both passive and regular ftp data connections, the server has a > > local port > 1024 open. The distinction is that with passive ftp the > > server does a "listen()," opening a port for incoming connections. > > With regular ftp, the server does a "connect()" and the client must > > open port 20 with "listen()." > > And obviously the summary is off-track because the information it's > derived from is slightly wrong. > > Anyone doing this stuff would do well to look at the O'Reilly book > "Building Internet Firewalls" by Chapman and Zwicky which describes > the packet filtering characteristics of all the major protocols. > > As far as Axel's problem goes, I'm not sure what natd does with FTP > connections (I usually give public servers a public address) but > the server certainly passes its address back to the client for > passive mode connections along with the port number the client > needs to connect to (in normal or active mode the client sends its > address and port number to the server). > > Some FTP clients will tell you what the ports are, which you can compare > with logs on your firewall (assuming you're logging FTP connections). > If the connection is actually timing out, you can also look at netstat > on the various boxes to see what ports are being used. > > Otherwise, I'd suggest running natd in "verbose" mode to actually watch > the translations--it may be altering some port numbers as well, which will > throw things off. > > I hope there's some help in there somewhere... > > Tony > -- > Tony Landells <ahl@austclear.com.au> > Senior Network Engineer Ph: +61 3 9677 9319 > Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 > Level 4, Rialto North Tower > 525 Collins Street > Melbourne VIC 3000 > Australia > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107091136.EAA25037>