[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Active & passive FTP

On Sunday 01 April 2001 16:42, Sven Burgener wrote:
> Hello all
> Are there any example ipchains commands for both active and passive FTP
> on a server and on a client.
> If not, where is an authoritive document that'd give me enough
> information to figure out exactly which ports are needed for both
> the client and the server for both active and passive FTP ... ?

In my experience, you'll have to stick with passive, even though this is a 
pain sometimes. The reason for this is, that (IIRC) active FTP support 
multiple data-channels, and the way it does this is, that the /client/ tells 
the server to open a /new/ connection on a port, specified by the client. 
This poses a serious problem in most firewall setups, especially those using 
NAT, since the connection-tracking code can't cope with dynamically opening 
ports (and shouldn't, either!)

Just as a sidenote, the /only/ reason there is IMHO to use active FTP is 
because the client can't be configured otherwise. It either blows major holes 
in your firewall, or opens another can of worms if you try to insert the 
kernel module supporting active FTP, since it assumes that as soon as it sees 
a packet matching the one that will tell the server where to connect, the 
next connection should go to the client. Not pretty if 2 machines (not even 
talking about 10!) try to ftp to the same site!!

I hope this info helps :)

Kenneth Schmidt

Reply to: