Re: Questions about passive FTP, firewalls and Routers
From: Ron Lowe (ron-msng_at_{d.e.l.e.t.e.}lowe-family.me.uk)
Date: 07/12/04
- Next message: Peter CCH: "Share directory access"
- Previous message: Conny: "Re: Questions about passive FTP, firewalls and Routers"
- In reply to: Sergej Balon: "Questions about passive FTP, firewalls and Routers"
- Next in thread: Don Kelloway: "Re: Questions about passive FTP, firewalls and Routers"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 12 Jul 2004 11:47:27 +0100
Inline......
( You are in a maze of twisty passages, all alike... )
[ I hope i've not made any typos in this, it's quite dense with detail.
The references I point out will clarify if I've typo'd anything!]
"Sergej Balon" <buzzuz@hotmail.com> wrote in message
news:cctl41$lvm$07$1@news.t-online.com...
> I have read some explanations about the differences of active vs. passive
ftp, but there are still some
> open questions:
>
> 1.) If a connection from the ftp client to the ftp server is in active or
in passive mode is
> a decision of the client - not of the server. Is this correct?
It's up to the client to request PASV mode.
If the server agrees, then PASV mode is set.
Otherwise, the client sets PORT ( active ) mode.
>
> 2.) Assume I type (as a client) at the command line:
>
> ftp ftp.foo.com
>
> How do I specify that I want to handle this (my ftp session) in passive
mode rather than in active?
XP's command-line FTP does not support the PASV command.
Do a ? at the ftp> prompt for a list of commands.
You can get 3-rd party command-line FTP utils which support PASV mode.
Here's one I found earlier ( which is nice ):
ftp://ftp.gnu.org/old-gnu/emacs/windows/contrib/ftp-for-win32.zip
Do a ? at ths one, and see there are many more commands.
PASV is the one you need.
The FTP function in IE has the option to use PASV mode for FTP.
Look in internet options.
All 3-rd party FTP clients have the option.
Before we get stuck into this, read these references...
http://slacksite.com/other/ftp.html
http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
> 3.) Assume there is a router and a firewall at server side.
> For active ftp I have to open
> - Port 21 for incoming TCP request in the firewall
> - Port 20 for outgoing TCP request in the firewall
> - Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in
the router configuration
Correct.
External: Any:Any -> Internal FTP_SERVER_IP:21 (to let in control
connection)
Internal: FTP_SERVER_IP:20 -> External Any: Any (to let data connection
out.)
> Which settings do I have to setup for passive ftp?
> As far as I know the client could initiiate the data channel to a server
port from a range e.g. 1500,...,1700
> Do I really have to setup NAT port forwarding for 200 ports ?
You are more or less correct.
In response to a PASV request, the server will provide an
IP address/port number for the client to connect to.
Some FTP servers may permit you to specify a range of ports to use.
You need to either:
open up all the ephemeral ports that the FTP server is configured to use,
or... perhaps the NAT device is clever enough to recognise the FTP session
and make special provision dynamically. This is called a NAT editor.
It's not elegant.
Basically, PASV mode doesn't work well if the server is behind NAT.
Passive FTP is a workaround for a firewall / NAT at the client side.
Passive mode is difficult to handle with firewall /NAT at the server side.
Aditionally, the FTP server will probably report the wrong IP address to
the client in response to the PASV request. It will give the internal IP
address,
not the public IP address. This can be handled in a couple of ways.
Either the FTP server needs to deduce the external IP by itself somehow,
or you need to be able to specify it. Failing that, the NAT device needs to
do special NAT editing and change the IP address contained within the
response to the PASV command.
> 4.) Which port range is normally used for data channels ftp servers in
passive mode?
Entirely depends on the FTP server.
Could be the entire ephemeral port range 1025 - 65535!
May be configurable on the server.
> 5.) Assume there is a firewall at the client side.
> For active ftp I (as a client) have to open
> - remote Port 21 for outgoing TCP requests
> - remote Port 20 for incoming TCP requests
Active mode means the server will generate an incoming connection
FROM it's port 20 TO *any* random port number on the client,
whatever the FTP client said in the PORT command.
Internal: Any:Any -> External: Any:21 to permit the control connection out;
External: Any:20 -> Internal: Any:Any to permit the datat connection in.
That's a massive hole to blow in a firewall!
As you see, active mode FTP doesn't work well behind a client firewall.
It requires a very large hole to permit the inbound FTP data connection.
> If I use passive ftp I have to open
> - all (!) remote Ports for outgoing requests because I do not know in
advance which remote port range
> the ftp servers offers me to communicate for the data channel. Is this
correct?
Internal: Any:Any -> External :Any:21 to permit the control connection out;
Internal: Any:Any -> External: Any:Any to permit the data connection out.
Permitting all outbound is less bad than permitting all inbound!
> 6.) If you look at all ftp connections worldwide. Which percentage is
handled by active ftp
> and which percentage by passive ftp mode?
No idea.
In short:
Active mode: Difficult with NAT or firewall client side. OK for NAT /
Firewall server-side.
PASV mode: OK for NAT / firewall client side. Difficult for NAT / Firewall
server-side.
If NAT or firewalls at both sides, FTP may not be possible.
Will require special handling in the NAT or firewall ao one side.
Something would have to give.
May never work, depends on smartness of NAT implimentation.
-- Best Regards, Ron Lowe MS-MVP Windows Networking
- Next message: Peter CCH: "Share directory access"
- Previous message: Conny: "Re: Questions about passive FTP, firewalls and Routers"
- In reply to: Sergej Balon: "Questions about passive FTP, firewalls and Routers"
- Next in thread: Don Kelloway: "Re: Questions about passive FTP, firewalls and Routers"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
