Thursday, November 24, 2005

> 1.) If a connection from the ftp client to the ftp server is in active or
in passive mode is
> a decision of the client - not of the server. Is this correct?

It's up to the client to request PASV mode.
If the server agrees, then PASV mode is set.
Otherwise, the client sets PORT ( active ) mode.

> 2.) Assume I type (as a client) at the command line:

> ftp

> How do I specify that I want to handle this (my ftp session) in passive

mode rather than in active?

XP's command-line FTP does not support the PASV command.
Do a ? at the ftp> prompt for a list of commands.
You can get 3-rd party command-line FTP utils which support PASV mode.
Here's one I found earlier ( which is nice ):

Do a ? at ths one, and see there are many more commands.
PASV is the one you need.

The FTP function in IE has the option to use PASV mode for FTP.
Look in internet options.

All 3-rd party FTP clients have the option.

Before we get stuck into this, read these references...

> 3.) Assume there is a router and a firewall at server side.
> For active ftp I have to open
> - Port 21 for incoming TCP request in the firewall
> - Port 20 for outgoing TCP request in the firewall
> - Portforwarding NAT for Port 21 to the local IP (e.g. in

the router configuration

External: Any:Any -> Internal FTP_SERVER_IP:21 (to let in control
Internal: FTP_SERVER_IP:20 -> External Any: Any (to let data connection

> Which settings do I have to setup for passive ftp?
> As far as I know the client could initiiate the data channel to a server

port from a range e.g. 1500,...,1700

> Do I really have to setup NAT port forwarding for 200 ports ?

You are more or less correct.

In response to a PASV request, the server will provide an
IP address/port number for the client to connect to.
Some FTP servers may permit you to specify a range of ports to use.

You need to either:
open up all the ephemeral ports that the FTP server is configured to use,
or... perhaps the NAT device is clever enough to recognise the FTP session
and make special provision dynamically. This is called a NAT editor.

It's not elegant.
Basically, PASV mode doesn't work well if the server is behind NAT.

Passive FTP is a workaround for a firewall / NAT at the client side.
Passive mode is difficult to handle with firewall /NAT at the server side.

Aditionally, the FTP server will probably report the wrong IP address to
the client in response to the PASV request. It will give the internal IP
not the public IP address. This can be handled in a couple of ways.
Either the FTP server needs to deduce the external IP by itself somehow,
or you need to be able to specify it. Failing that, the NAT device needs to
do special NAT editing and change the IP address contained within the
response to the PASV command.

> 4.) Which port range is normally used for data channels ftp servers in

passive mode?

Entirely depends on the FTP server.
Could be the entire ephemeral port range 1025 - 65535!
May be configurable on the server.

> 5.) Assume there is a firewall at the client side.
> For active ftp I (as a client) have to open
> - remote Port 21 for outgoing TCP requests
> - remote Port 20 for incoming TCP requests

Active mode means the server will generate an incoming connection
FROM it's port 20 TO *any* random port number on the client,
whatever the FTP client said in the PORT command.

Internal: Any:Any -> External: Any:21 to permit the control connection out;
External: Any:20 -> Internal: Any:Any to permit the datat connection in.

That's a massive hole to blow in a firewall!

As you see, active mode FTP doesn't work well behind a client firewall.
It requires a very large hole to permit the inbound FTP data connection.

> If I use passive ftp I have to open
> - all (!) remote Ports for outgoing requests because I do not know in

advance which remote port range
> the ftp servers offers me to communicate for the data channel. Is this


Internal: Any:Any -> External :Any:21 to permit the control connection out;
Internal: Any:Any -> External: Any:Any to permit the data connection out.

Permitting all outbound is less bad than permitting all inbound!

> 6.) If you look at all ftp connections worldwide. Which percentage is

handled by active ftp

> and which percentage by passive ftp mode?

No idea.

In short:
Active mode: Difficult with NAT or firewall client side. OK for NAT /
Firewall server-side.
PASV mode: OK for NAT / firewall client side. Difficult for NAT / Firewall

If NAT or firewalls at both sides, FTP may not be possible.
Will require special handling in the NAT or firewall ao one side.
Something would have to give.
May never work, depends on smartness of NAT implimentation.

0 Responses to Discusión interesante sobre ftp y firewalls: