This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Question about Passive FTP

0

I am aware that firewall will block the incoming data connection(the syn packet with source port 20) in case of Active FTP and therefore enterprises prefers to go with Passive where control and data will be initiated by client.

My question is

Why in passive FTP the client opens data connection to a random port specified by the server rather than to port 20? If ,by any chance someone designs passive ftp server which will send port 20 (in PASV) for data connection will the firewall block that incoming syn-ack(Data connection)from server?

Thanks..

asked 02 Jul '13, 19:46

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 03 Jul '13, 11:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

Any recent firewall will read/inspect the content of the FTP control connection (Port 21 from client to server) and use the information in the PORT command to dynamically allow the data connection, no matter what port is used nor who opens the data connection (active or passive FTP). In the Linux Netfilter framework this mechanism is called a conntrack helper (connection tracking). Other vendors have their own names for it.

Passive FTP is only 'better', if you have an older firewall, as you can say:

  • ALLOW client:* -> server:21 (redundant)
  • ALLOW client:* -> server:*

which allows the dynamically chosen port of the FTP server for the data connection without need to inspect the control connection. However, that's not following the 'principle of least privilege' and thus should be avoided.

Why in passive FTP the client opens data connection to a random port specified by the server rather than to port 20?

That's how the FTP protocol is designed. If you want to know why, please contact the authors of the RFC (although J. Postel already died. Don't know about J. Reynolds).

If ,by any chance someone designs passive ftp server which will send port 20 (in PASV) for data connection will the firewall block that incoming syn-ack(Data connection)from server?

If that was the case, you will have to open your firewall for only two ports.

  • ALLOW: client:* -> server:21 (control connection)
  • ALLOW: client:* -> server:20 (data connection)

But as I said, with any recent firewall you only need this rule

  • ALLOW: client:* -> server:21 (control connection)

The data connection will be allowed by the conntrack helper, no matter if ACTIVE or PASSIVE FTP is used.

Regards
Kurt

answered 03 Jul '13, 00:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 Jul '13, 08:41

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

1

The following links may also be helpful:

(03 Jul '13, 08:40) cmaynard ♦♦

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(16 Jul '13, 05:51) Kurt Knochner ♦