© 2022 HyQuest Solutions
111
Appendices
Introduction
One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the
difference between active and passive FTP and how best to support either or both of them.
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two
ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the
command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode,
the data port is not always on port 20.
Active FTP
In active mode FTP the client (iRIS) connects from a random unprivileged port (N > 1023) to the FTP server's command
port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The
server will then connect back to the client's specified data port from its local data port, which is port 20.
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be
opened:
§
FTP server's port 21 from anywhere (Client initiates connection)
§
FTP server's port 21 to ports > 1023 (Server responds to client's control port)
§
FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
§
FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)
When drawn out, the connection appears as follows:
In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server
then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data
port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection
to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the
specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an
internal client--
something that is usually blocked
.
Active FTP Example
Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP
addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a
Linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a Linux box running
ProFTPd 1.2.2RC2. The debugging (-
d
) flag is used with the FTP client to show what is going on behind the scenes.
Everything in
red
is the debugging output which shows the actual FTP commands being sent to the server and the
responses generated from those commands. Normal server output is shown in black, and user input is in
bold
.
There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies
a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behaviour when we use
passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the
Summary of Contents for iRIS Under Cover
Page 1: ...iRIS Under Cover User Manual ...
Page 13: ... 2022 HyQuest Solutions 13 Installation Figure 2 Mounting Diagram ...
Page 108: ... 2022 HyQuest Solutions 108 Appendices 8 1 Declaration of Conformity ...
Page 115: ... 2022 HyQuest Solutions 115 Appendices ...
Page 117: ...www hyquestsolutions com 2022 HyQuest Solutions 29 06 2022 ...