Re: Active & passive FTP
On Sunday 01 April 2001 16:42, Sven Burgener wrote:
> Hello all
> Are there any example ipchains commands for both active and passive FTP
> on a server and on a client.
> If not, where is an authoritive document that'd give me enough
> information to figure out exactly which ports are needed for both
> the client and the server for both active and passive FTP ... ?
In my experience, you'll have to stick with passive, even though this is a
pain sometimes. The reason for this is, that (IIRC) active FTP support
multiple data-channels, and the way it does this is, that the /client/ tells
the server to open a /new/ connection on a port, specified by the client.
This poses a serious problem in most firewall setups, especially those using
NAT, since the connection-tracking code can't cope with dynamically opening
ports (and shouldn't, either!)
Just as a sidenote, the /only/ reason there is IMHO to use active FTP is
because the client can't be configured otherwise. It either blows major holes
in your firewall, or opens another can of worms if you try to insert the
kernel module supporting active FTP, since it assumes that as soon as it sees
a packet matching the one that will tell the server where to connect, the
next connection should go to the client. Not pretty if 2 machines (not even
talking about 10!) try to ftp to the same site!!
I hope this info helps :)