Questions about passive FTP, firewalls and Routers

Archived from groups: microsoft.public.win2000.networking,comp.os.ms-windows.networking.misc,comp.os.linux.networking,microsoft.public.windowsxp.network_web,comp.security.firewalls (More info?)

I have read some explanations about the differences of active vs. passive ftp, but there are still some
open questions:

1.) If a connection from the ftp client to the ftp server is in active or in passive mode is
a decision of the client - not of the server. Is this correct?

2.) Assume I type (as a client) at the command line:

ftp ftp.foo.com

How do I specify that I want to handle this (my ftp session) in passive mode rather than in active?

3.) Assume there is a router and a firewall at server side.
For active ftp I have to open
- Port 21 for incoming TCP request in the firewall
- Port 20 for outgoing TCP request in the firewall
- Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in the router configuration

Which settings do I have to setup for passive ftp?
As far as I know the client could initiiate the data channel to a server port from a range e.g. 1500,...,1700
Do I really have to setup NAT port forwarding for 200 ports ?

4.) Which port range is normally used for data channels ftp servers in passive mode?

5.) Assume there is a firewall at the client side.
For active ftp I (as a client) have to open
- remote Port 21 for outgoing TCP requests
- remote Port 20 for incoming TCP requests

If I use passive ftp I have to open
- all (!) remote Ports for outgoing requests because I do not know in advance which remote port range
the ftp servers offers me to communicate for the data channel. Is this correct?

6.) If you look at all ftp connections worldwide. Which percentage is handled by active ftp
and which percentage by passive ftp mode?

Thanky you for your help

Sergej
1 answer Last reply
More about questions passive firewalls routers
  1. Archived from groups: comp.security.firewalls (More info?)

    "Sergej Balon" <buzzuz@hotmail.com> wrote in message
    news:cctl41$lvm$07$1@news.t-online.com...
    > I have read some explanations about the differences of active vs.
    passive ftp, but there are still some
    > open questions:
    >
    > 1.) If a connection from the ftp client to the ftp server is in active
    or in passive mode is
    > a decision of the client - not of the server. Is this correct?
    >
    > 2.) Assume I type (as a client) at the command line:
    >
    > ftp ftp.foo.com
    >
    > How do I specify that I want to handle this (my ftp session) in
    passive mode rather than in active?
    >
    > 3.) Assume there is a router and a firewall at server side.
    > For active ftp I have to open
    > - Port 21 for incoming TCP request in the firewall
    > - Port 20 for outgoing TCP request in the firewall
    > - Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34)
    in the router configuration
    >
    > Which settings do I have to setup for passive ftp?
    > As far as I know the client could initiiate the data channel to a
    server port from a range e.g. 1500,...,1700
    > Do I really have to setup NAT port forwarding for 200 ports ?
    >
    > 4.) Which port range is normally used for data channels ftp servers in
    passive mode?
    >
    > 5.) Assume there is a firewall at the client side.
    > For active ftp I (as a client) have to open
    > - remote Port 21 for outgoing TCP requests
    > - remote Port 20 for incoming TCP requests
    >
    > If I use passive ftp I have to open
    > - all (!) remote Ports for outgoing requests because I do not know in
    advance which remote port range
    > the ftp servers offers me to communicate for the data channel. Is this
    correct?
    >
    > 6.) If you look at all ftp connections worldwide. Which percentage is
    handled by active ftp
    > and which percentage by passive ftp mode?
    >
    > Thanky you for your help
    >
    > Sergej

    1. Yes. Implementing Normal (Active) or Passive FTP is the result of the
    client issuing either the PORT or PASV command respectively. When using
    FTP via DOS it will always be Normal. Early versions of IE also
    implemented FTP Normal, but I believe it wasn't until IE5 that FTP was
    then implemented as Passive.

    2. After the client establishes the Control channel to the FTP server
    (to TCP port 21). The client will then either issue the PORT or PASV
    command depending upon the client's configuration. If it's the PORT
    command, the purpose is to inform the FTP server to create/establish the
    Data channel to the client. If it's the PASV command, the purpose is to
    ask the FTP server to what IP and port the client should connect to in
    order to establish the Data channel.

    3. The ports associated with the Data channel in PASV FTP are often
    between 1024-5000. However that isn't always the case. If you want to
    allow PASV FTP to the FTP server, you'll have to allow these ports
    inbound, but only as the result of an already established FTP Control
    channel and to/from the same IP involved. Fortunately many firewalls
    are FTP aware and know what needs to be done to allow either method
    safely through. Are you sure that you're not trying to do something
    unnecessary?

    4. See #3

    5. See #3

    6. Unknown, but I would guesstimate that because a majority of people
    use IE as their method of browsing and acquiring files that it's going
    to be PASV FTP.

    Lastly here's a couple of links to articles on the subject. One of
    which I contributed several years ago on the subject.

    http://slacksite.com/other/ftp.html

    http://www.allaboutjake.com/network/linksys/ftp.html

    http://war.jgaa.com/ftp/?cmd=show_page&ID=ftp_pasv


    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
Ask a new question

Read More

Firewalls FTP Networking