Re: ftp firewalling
> I am trying to set up a firewall on our network, but to allow ftp
> connections from internal machines to specific external sites (on a
> per-site basis). The problem I am having is that ftp seems to use ports
> other than 20 and 21.
>
> At the moment I only allow transfers on these two ports. This allows me
> to make an ftp connection (ie. the external site prompts for username
> password, and I can enter those) but when I try to do any transfers (ie
> gets, puts, or lists) they just time out.
>
> Can anybody give me a bit more info on how ftp works?
Well everything is described in RFC959, but in short, ftp can use whatever
port it wants :)
The thing is that there are 3 ways to establish data connection:
1) PORT without arguments - assumes client is listening to default
data port (20), this is possible if all sockets bound to port 20 have
"reuse" option set. Server connects to port 20 on the client machine.
2) PORT with arguments - client listens to data socket bound to some
alternative port (or even different host - to allow remote-remote
transfers). This alternative address and port are the arguments to
this command. Server then connects to this alternative port and/or host.
3) PASV (no arguments) - requests server to open socket and listen for
connection. Server opens socket and reponds to the client with address and
port to connect to. In this case *client* connects to that port on the
server machine.
That's it.
Alex Y.
--
_
_( )_
( (o___ +-------------------------------------------+
| _ 7 | Alexander Yukhimets |
\ (") | http://pages.nyu.edu/~aqy6633/ |
/ \ \ +-------------------------------------------+
--
E-mail the word "unsubscribe" to debian-user-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? E-mail to listmaster@lists.debian.org
Reply to: