C.6 The behavior of FTPOr, ``Why do I have to open all ports above 1024 to my FTP server?''
FTP doesn't really look a whole lot like other applications from a networking perspective.
It keeps one listening port, port 21, which users connect to. All it does is let people log on, and establish ANOTHER connection to do actual data transfers. This second connection is usually on some port above 1024.
There are two modes, ``active'' (normal) and ``passive'' mode. This word describes the server's behaviour.
In active mode, the client (18.104.22.168) connects to port 21 on the server (22.214.171.124) and logs on. When file transfers are due, the client allocates a dynamic port above 1024, informs the server about which port it opened, and then the server opens a new connection to that port. This is the ``active'' role of the server: it actively establishes new connections to the client.
In passive mode, the connection to port 21 is the same. When file transfers are due, the SERVER allocates a dynamic port above 1024, informs the client about which port it opened, and then the CLIENT opens a new connection to that port. This is the ``passive'' role of the server: it waits for the client to establish the second (data) connection.
If your firewall doesn't inspect the application data of the FTP command connection, it won't know that it needs to dynamically open new ports above 1024.
On a side note: The traditional behaviour of FTP servers in active mode is to establish the data session FROM port 20, and to the dynamic port on the client. FTP servers are steering away from this behaviour somewhat due to the need to run as ``root'' on unix systems in order to be able to allocate ports below 1024. Running as ``root'' is not good for security, since if there's a bug in the software, the attacker would be able to compromise the entire machine. The same goes for running as ``Administrator'' or ``SYSTEM'' (``LocalSystem'') on NT machines, although the low port problem does not apply on NT.
To sum it up, if your firewall understands FTP, it'll be able to handle the data connections by itself, and you won't have to worry about ports above 1024.
If it does NOT, there are four issues that you need to address:
Again, if your firewall understands FTP, none of the four points above apply to you. Let the firewall do the job for you.
include('phone.php') ?> include('address.php') ?>
|© 2000 - 2017 Vesaria Network Security Specialists|
|Call Us at include('phone.php') ?>|