[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ftp and firewall
Paul Farber wrote:
> You said that no one can connect to your net???? How do you expect to
> receive data back? FTP uses ports 20/21 and >1024 for data transfer. 20/21
> are for control. You need to open up 20/21 and > 1024 to receive data back.
Nope.
In active mode, the client binds a listening socket on an ephemeral
port and sends a PORT command to the server containing the address and
port associated with the socket. The server then connects to this
socket from port 20 to send/receive the data for the next command.
Consequently, active mode requires that a firewall permit inbound
connections to any ephemeral socket.
In passive mode, the client sends a PASV command to the server. The
server binds a listening socket on an ephemeral port, and sends a
reply similar to:
227 Entering Passive Mode (127,0,0,1,4,205)
The first four numbers (bytes) are the IP address, and the last two
are the port number (high byte first). The client then connects to
this socket to send/receive the data for the next command.
Consequently, passive mode only requires that the firewall permit
outbound connections to ephemeral ports. Unsurprisingly, passive mode
is normally used when using FTP through a firewall.
--
Glynn Clements <glynn@sensei.co.uk>