Yottaflop

I recently was reminded that the FTP protocol requires two ports…

FTPS by default fails … this is due to the FTP protocol requiring 2 ports: one for the commands  (which includes directory creation) and one for data e.g the result of a directory listing or a file transfer.

Passive Mode

Specifically, in Passive mode, during the handshaking  the FTP server tells the client which second port to connect back on for the data channel, this can be any port above 1023, these ports are (rightly) being blocked by the firewall.

Active Mode

in active mode once a client has connected on the command port the server actually initiates the data connection out to the client. The client will be listening on a random port above 1023, although this mode resolves the server firewall issue, it is unfeasible because we would be wholly dependent on any firewalls that the client is behind, and we have no control over them. In fact this is why passive mode exists.

SSL and FTP

The passive mode random port problem  is not usually a problem with normal  FTP (none ssl), because even if only the command port (21) is configured to allow FTP,  smart firewalls know which port is being requested in the protocol and open it so the client can initiate the data connection.

In FTP over SSL  the firewall can’t tell which port has been requested and so the firewall continues to block the data connection.

The Fix

1. Open all unreserved ports above 1023 in your firewall

2. If thats not possible then with most ftp servers (e.g. filezilla) you can specify a limited range of ports the server will reserve for the data channel, doing that and allowing this subset of ports through the firewall all passive more requests should work completely and the connections are still inbound only

Tags:   firewalls · ftp · sslNo Comments