Date: Sun, 8 Jul 2001 13:06:30 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: "tjk@tksoft.com" <tjk@tksoft.com> Cc: Axel Scheepers <ascheepe@surf.iae.nl>, freebsd-security@FreeBSD.ORG Subject: Re: Firewall and ftp service Message-ID: <20010708130630.A307@blossom.cjclark.org> In-Reply-To: <200107081001.DAA07513@smtp3.tksoft.com>; from tjk@tksoft.com on Sun, Jul 08, 2001 at 03:01:54AM -0700 References: <20010707153247.A78448@surf.iae.nl> <200107081001.DAA07513@smtp3.tksoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 08, 2001 at 03:01:54AM -0700, tjk@tksoft.com wrote: > > I wanted to point out that port 20 is for ftp data and port 21 is > for ftp commands. Yep. For PORT or "active" FTP. > When an ftp connection is made, the client connects to the server at > port 21. All communications occur on that channel. All command and control communications. > When the server needs to send data to the client, it opens a connection > to port 20 on the client. When it makes the connection, it allocates a > local port > 1024 for its local port. *sigh* NO. When the server needs to send data to the client, it opens a connection _from_ port 20 on the server to some ephemeral port, >1024, on the client. Think about it. On a UNIX system, is the client program running with root privs? How could it open port 20? > When a client requests passive ftp, the server opens a random port > > 1024 for listening. The client then opens a connection to that port. That's usually what happens in PASV. > With both passive and regular ftp data connections, the server has a > local port > 1024 open. The distinction is that with passive ftp the > server does a "listen()," opening a port for incoming connections. With > regular ftp, the server does a "connect()" and the client must open port > 20 with "listen()." Again, no. The server uses its port 20 for a PORT command. The client never uses port 20 in either mode. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010708130630.A307>