Questions about passive FTP, firewalls and Routers

[Sergej Balon]

I have read some explanations about the differences of active vs. passive ftp, but there are still some
open questions:

1.) If a connection from the ftp client to the ftp server is in active or in passive mode is
a decision of the client - not of the server. Is this correct?

2.) Assume I type (as a client) at the command line:

ftp ftp.foo.com

How do I specify that I want to handle this (my ftp session) in passive mode rather than in active?

3.) Assume there is a router and a firewall at server side.
For active ftp I have to open
- Port 21 for incoming TCP request in the firewall
- Port 20 for outgoing TCP request in the firewall
- Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in the router configuration

Which settings do I have to setup for passive ftp?
As far as I know the client could initiiate the data channel to a server port from a range e.g. 1500,...,1700
Do I really have to setup NAT port forwarding for 200 ports ?

4.) Which port range is normally used for data channels ftp servers in passive mode?

5.) Assume there is a firewall at the client side.
For active ftp I (as a client) have to open
- remote Port 21 for outgoing TCP requests
- remote Port 20 for incoming TCP requests

If I use passive ftp I have to open
- all (!) remote Ports for outgoing requests because I do not know in advance which remote port range
the ftp servers offers me to communicate for the data channel. Is this correct?

6.) If you look at all ftp connections worldwide. Which percentage is handled by active ftp
and which percentage by passive ftp mode?

Thanky you for your help

Sergej

 

[Conny]

I have read some explanations about the differences of active vs. passive ftp, but there are still some
open questions:

1.) If a connection from the ftp client to the ftp server is in active or in passive mode is
a decision of the client - not of the server. Is this correct?

2.) Assume I type (as a client) at the command line:

ftp ftp.foo.com

How do I specify that I want to handle this (my ftp session) in passive mode rather than in active?

3.) Assume there is a router and a firewall at server side.
For active ftp I have to open
- Port 21 for incoming TCP request in the firewall
- Port 20 for outgoing TCP request in the firewall
- Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in the router configuration

Which settings do I have to setup for passive ftp?
As far as I know the client could initiiate the data channel to a server

port from a range e.g. 1500,...,1700

Do I really have to setup NAT port forwarding for 200 ports ?

4.) Which port range is normally used for data channels ftp servers in passive mode?

5.) Assume there is a firewall at the client side.
For active ftp I (as a client) have to open
- remote Port 21 for outgoing TCP requests
- remote Port 20 for incoming TCP requests

If I use passive ftp I have to open
- all (!) remote Ports for outgoing requests because I do not know in

advance which remote port range

the ftp servers offers me to communicate for the data channel. Is this correct?

6.) If you look at all ftp connections worldwide. Which percentage is handled by active ftp
and which percentage by passive ftp mode?

Thanky you for your help

Sergej

http://slacksite.com/other/ftp.html

 

[Ron Lowe]

Inline......

( You are in a maze of twisty passages, all alike... )

[ I hope i've not made any typos in this, it's quite dense with detail.
The references I point out will clarify if I've typo'd anything!]

I have read some explanations about the differences of active vs. passive ftp, but there are still some
open questions:

1.) If a connection from the ftp client to the ftp server is in active or in passive mode is
a decision of the client - not of the server. Is this correct?

It's up to the client to request PASV mode.
If the server agrees, then PASV mode is set.
Otherwise, the client sets PORT ( active ) mode.

2.) Assume I type (as a client) at the command line:

ftp ftp.foo.com

How do I specify that I want to handle this (my ftp session) in passive

mode rather than in active?

XP's command-line FTP does not support the PASV command.
Do a ? at the ftp> prompt for a list of commands.
You can get 3-rd party command-line FTP utils which support PASV mode.
Here's one I found earlier ( which is nice ):

ftp://ftp.gnu.org/old-gnu/emacs/windows/contrib/ftp-for-win32.zip

Do a ? at ths one, and see there are many more commands.
PASV is the one you need.

The FTP function in IE has the option to use PASV mode for FTP.
Look in internet options.

All 3-rd party FTP clients have the option.


Before we get stuck into this, read these references...
http://slacksite.com/other/ftp.html
http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html

3.) Assume there is a router and a firewall at server side.
For active ftp I have to open
- Port 21 for incoming TCP request in the firewall
- Port 20 for outgoing TCP request in the firewall
- Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in

the router configuration

Correct.
External: Any:Any -> Internal FTP_SERVER_IP:21 (to let in control
connection)
Internal: FTP_SERVER_IP:20 -> External Any: Any (to let data connection
out.)

Which settings do I have to setup for passive ftp?
As far as I know the client could initiiate the data channel to a server

port from a range e.g. 1500,...,1700

Do I really have to setup NAT port forwarding for 200 ports ?

You are more or less correct.

In response to a PASV request, the server will provide an
IP address/port number for the client to connect to.
Some FTP servers may permit you to specify a range of ports to use.

You need to either:
open up all the ephemeral ports that the FTP server is configured to use,
or... perhaps the NAT device is clever enough to recognise the FTP session
and make special provision dynamically. This is called a NAT editor.

It's not elegant.
Basically, PASV mode doesn't work well if the server is behind NAT.

Passive FTP is a workaround for a firewall / NAT at the client side.
Passive mode is difficult to handle with firewall /NAT at the server side.

Aditionally, the FTP server will probably report the wrong IP address to
the client in response to the PASV request. It will give the internal IP
address,
not the public IP address. This can be handled in a couple of ways.
Either the FTP server needs to deduce the external IP by itself somehow,
or you need to be able to specify it. Failing that, the NAT device needs to
do special NAT editing and change the IP address contained within the
response to the PASV command.

4.) Which port range is normally used for data channels ftp servers in

passive mode?

Entirely depends on the FTP server.
Could be the entire ephemeral port range 1025 - 65535!
May be configurable on the server.

5.) Assume there is a firewall at the client side.
For active ftp I (as a client) have to open
- remote Port 21 for outgoing TCP requests
- remote Port 20 for incoming TCP requests

Active mode means the server will generate an incoming connection
FROM it's port 20 TO *any* random port number on the client,
whatever the FTP client said in the PORT command.

Internal: Any:Any -> External: Any:21 to permit the control connection out;
External: Any:20 -> Internal: Any:Any to permit the datat connection in.

That's a massive hole to blow in a firewall!

As you see, active mode FTP doesn't work well behind a client firewall.
It requires a very large hole to permit the inbound FTP data connection.

If I use passive ftp I have to open
- all (!) remote Ports for outgoing requests because I do not know in

advance which remote port range

the ftp servers offers me to communicate for the data channel. Is this

correct?

Internal: Any:Any -> External :Any:21 to permit the control connection out;
Internal: Any:Any -> External: Any:Any to permit the data connection out.

Permitting all outbound is less bad than permitting all inbound!

6.) If you look at all ftp connections worldwide. Which percentage is handled by active ftp
and which percentage by passive ftp mode?

No idea.

In short:
Active mode: Difficult with NAT or firewall client side. OK for NAT /
Firewall server-side.
PASV mode: OK for NAT / firewall client side. Difficult for NAT / Firewall
server-side.

If NAT or firewalls at both sides, FTP may not be possible.
Will require special handling in the NAT or firewall ao one side.
Something would have to give.
May never work, depends on smartness of NAT implimentation.

 

[Don Kelloway]

I have read some explanations about the differences of active vs.

passive ftp, but there are still some

open questions:

1.) If a connection from the ftp client to the ftp server is in active or in passive mode is
a decision of the client - not of the server. Is this correct?

2.) Assume I type (as a client) at the command line:

ftp ftp.foo.com

How do I specify that I want to handle this (my ftp session) in

passive mode rather than in active?

3.) Assume there is a router and a firewall at server side.
For active ftp I have to open
- Port 21 for incoming TCP request in the firewall
- Port 20 for outgoing TCP request in the firewall
- Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in the router configuration

Which settings do I have to setup for passive ftp?
As far as I know the client could initiiate the data channel to a

server port from a range e.g. 1500,...,1700

Do I really have to setup NAT port forwarding for 200 ports ?

4.) Which port range is normally used for data channels ftp servers in passive mode?

5.) Assume there is a firewall at the client side.
For active ftp I (as a client) have to open
- remote Port 21 for outgoing TCP requests
- remote Port 20 for incoming TCP requests

If I use passive ftp I have to open
- all (!) remote Ports for outgoing requests because I do not know in

advance which remote port range

the ftp servers offers me to communicate for the data channel. Is this correct?

6.) If you look at all ftp connections worldwide. Which percentage is handled by active ftp
and which percentage by passive ftp mode?

Thanky you for your help

Sergej

1. Yes. Implementing Normal (Active) or Passive FTP is the result of the
client issuing either the PORT or PASV command respectively. When using
FTP via DOS it will always be Normal. Early versions of IE also
implemented FTP Normal, but I believe it wasn't until IE5 that FTP was
then implemented as Passive.

2. After the client establishes the Control channel to the FTP server
(to TCP port 21). The client will then either issue the PORT or PASV
command depending upon the client's configuration. If it's the PORT
command, the purpose is to inform the FTP server to create/establish the
Data channel to the client. If it's the PASV command, the purpose is to
ask the FTP server to what IP and port the client should connect to in
order to establish the Data channel.

3. The ports associated with the Data channel in PASV FTP are often
between 1024-5000. However that isn't always the case. If you want to
allow PASV FTP to the FTP server, you'll have to allow these ports
inbound, but only as the result of an already established FTP Control
channel and to/from the same IP involved. Fortunately many firewalls
are FTP aware and know what needs to be done to allow either method
safely through. Are you sure that you're not trying to do something
unnecessary?

4. See #3

5. See #3

6. Unknown, but I would guesstimate that because a majority of people
use IE as their method of browsing and acquiring files that it's going
to be PASV FTP.

Lastly here's a couple of links to articles on the subject. One of
which I contributed several years ago on the subject.

http://slacksite.com/other/ftp.html

http://www.allaboutjake.com/network/linksys/ftp.html

http://war.jgaa.com/ftp/?cmd=show_page&ID=ftp_pasv

 

[Jan Geertsma]

I have read some explanations about the differences of active vs. passive ftp, but there are still some
open questions:

1.) If a connection from the ftp client to the ftp server is in active or in passive mode is
a decision of the client - not of the server. Is this correct?

Yes, as long as the server supports it

2.) Assume I type (as a client) at the command line:

ftp ftp.foo.com

How do I specify that I want to handle this (my ftp session) in passive mode rather than in active?

PASV
if the client can handle passive mode, but since you use the
commandline, I doubt this will work. The server will return PORT with
the port numer it will use for FTP-DATA

3.) Assume there is a router and a firewall at server side.
For active ftp I have to open
- Port 21 for incoming TCP request in the firewall
- Port 20 for outgoing TCP request in the firewall
- Portforwarding NAT for Port 21 to the local IP (e.g. 192.168.0.34) in the router configuration

Routers are Ok, they route IP
Firewalls suck, they block IP

if you use passive it is the server who opens the ftp-data on a high
portnumber which it specified

Which settings do I have to setup for passive ftp?
As far as I know the client could initiiate the data channel to a server port from a range e.g. 1500,...,1700
Do I really have to setup NAT port forwarding for 200 ports ?

4.) Which port range is normally used for data channels ftp servers in passive mode?

Guess this is specified an an FTP RFC... but my best guess is everything
above 1024 goes...

5.) Assume there is a firewall at the client side.
For active ftp I (as a client) have to open
- remote Port 21 for outgoing TCP requests
- remote Port 20 for incoming TCP requests yes

If I use passive ftp I have to open
- all (!) remote Ports for outgoing requests because I do not know in advance which remote port range
the ftp servers offers me to communicate for the data channel. Is this correct?

6.) If you look at all ftp connections worldwide. Which percentage is handled by active ftp
and which percentage by passive ftp mode?

lalala lots of text, the management answer is SFTP.

I don't do statistics, but worldwide you would see lots of idiots, so I
suggest taking the best solution which would be the single port
approach. I regularly use Z-Modem over SSH/Telnet since I have to
connect via lots of systems first. I like the linux package lrzsz for
that ... however, I'm an idiot too.

The nice thing of ssh is that there is also sftp .. that would actually
be the best choice, then you just need to pierce port 22 and incoming
traffic is encrypted

The bad thing about ftp is that passwords are plaintext and very
vissible along the route .. you get unwelcome users that way.

And if you're really interested, I checked my answers using ethereal
(tcpdump or snoop would do too) .. To see the network traffic while
creating an FTP connection.