Date: Mon, 09 Jul 2001 09:28:28 +1000 From: Tony Landells <ahl@austclear.com.au> To: "tjk@tksoft.com" <tjk@tksoft.com> Cc: ascheepe@surf.iae.nl (Axel Scheepers), freebsd-security@FreeBSD.ORG Subject: Re: Firewall and ftp service Message-ID: <200107082328.JAA27170@tungsten.austclear.com.au> In-Reply-To: Message from "tjk@tksoft.com" <tjk@tksoft.com> of "Sun, 08 Jul 2001 03:01:54 MST." <200107081001.DAA07513@smtp3.tksoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Troy, I'm sorry, but your description of normal (active) mode FTP is incorrect. tjk@tksoft.com said: > I wanted to point out that port 20 is for ftp data and port 21 is for > ftp commands. > When an ftp connection is made, the client connects to the server at > port 21. All communications occur on that channel. So far, so good. > When the server needs to send data to the client, it opens a > connection to port 20 on the client. When it makes the connection, it > allocates a local port > 1024 for its local port. No. When the client requests data from the server, the CLIENT allocates a random port number and tells the SERVER what it is, and then the SERVER opens a connection FROM port 20 to that random port on the client. > When a client requests passive ftp, the server opens a random port > > 1024 for listening. The client then opens a connection to that port. And then we're back on track again. > With both passive and regular ftp data connections, the server has a > local port > 1024 open. The distinction is that with passive ftp the > server does a "listen()," opening a port for incoming connections. > With regular ftp, the server does a "connect()" and the client must > open port 20 with "listen()." And obviously the summary is off-track because the information it's derived from is slightly wrong. Anyone doing this stuff would do well to look at the O'Reilly book "Building Internet Firewalls" by Chapman and Zwicky which describes the packet filtering characteristics of all the major protocols. As far as Axel's problem goes, I'm not sure what natd does with FTP connections (I usually give public servers a public address) but the server certainly passes its address back to the client for passive mode connections along with the port number the client needs to connect to (in normal or active mode the client sends its address and port number to the server). Some FTP clients will tell you what the ports are, which you can compare with logs on your firewall (assuming you're logging FTP connections). If the connection is actually timing out, you can also look at netstat on the various boxes to see what ports are being used. Otherwise, I'd suggest running natd in "verbose" mode to actually watch the translations--it may be altering some port numbers as well, which will throw things off. I hope there's some help in there somewhere... Tony -- Tony Landells <ahl@austclear.com.au> Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107082328.JAA27170>