VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us
 

Firewall Testing

About VESARiA

   

C.6 The behavior of FTP

  Or, ``Why do I have to open all ports above 1024 to my FTP server?''

FTP doesn't really look a whole lot like other applications from a networking perspective.

It keeps one listening port, port 21, which users connect to. All it does is let people log on, and establish ANOTHER connection to do actual data transfers. This second connection is usually on some port above 1024.

There are two modes, ``active'' (normal) and ``passive'' mode. This word describes the server's behaviour.

In active mode, the client (5.6.7.8) connects to port 21 on the server (1.2.3.4) and logs on. When file transfers are due, the client allocates a dynamic port above 1024, informs the server about which port it opened, and then the server opens a new connection to that port. This is the ``active'' role of the server: it actively establishes new connections to the client.

In passive mode, the connection to port 21 is the same. When file transfers are due, the SERVER allocates a dynamic port above 1024, informs the client about which port it opened, and then the CLIENT opens a new connection to that port. This is the ``passive'' role of the server: it waits for the client to establish the second (data) connection.

If your firewall doesn't inspect the application data of the FTP command connection, it won't know that it needs to dynamically open new ports above 1024.

On a side note: The traditional behaviour of FTP servers in active mode is to establish the data session FROM port 20, and to the dynamic port on the client. FTP servers are steering away from this behaviour somewhat due to the need to run as ``root'' on unix systems in order to be able to allocate ports below 1024. Running as ``root'' is not good for security, since if there's a bug in the software, the attacker would be able to compromise the entire machine. The same goes for running as ``Administrator'' or ``SYSTEM'' (``LocalSystem'') on NT machines, although the low port problem does not apply on NT.

To sum it up, if your firewall understands FTP, it'll be able to handle the data connections by itself, and you won't have to worry about ports above 1024.

If it does NOT, there are four issues that you need to address:

  • Firewalling an FTP server in active mode
    You need to let your server open new connections to the outside world on ports 1024 and above
  • Firewalling an FTP server in passive mode
    You need to let the outside world connect to ports 1024 and above on your server. CAUTION!!!! There may be applications running on some of these ports that you do NOT want outside people using. Disallow access to these ports before allowing access to the 1024-65535 port range.
  • Firewalling FTP clients in active mode
    You need to let the outside world connect to ports 1024 and above on your clients. CAUTION!!!! There may be applications running on some of these ports that you do NOT want outside people using. Disallow access to these ports before allowing access to the 1024-65535 port range.
  • Firewalling FTP clients in passive mode
    You need to let your clients open new connections to the outside world on ports 1024 and above.

Again, if your firewall understands FTP, none of the four points above apply to you. Let the firewall do the job for you.

Vesaria, LLC



Firewall FAQ
Table of Contents

Previous Section: C.5 What ports are safe to pass through a firewall?

Next Section: C.7 What software uses what FTP mode?

Find out more about VESARiA Firewall Testing.

 
© 2000 - 2017 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact