You are correct that FTP uses a variety of ports for the data connection.
However, these ports are generally not open at all times. When the system
that initiated the FTP connection wants to open the data port, it sends a
PORT command on the command connection. The software on the firewall is
monitoring the command line and intercepts the PORT command. At that time,
the firewall assigns a port, rewrites the PORT command, and passes it along.
Once this is done, that port is open on the firewall. When the back
connection is made, the FTP software on the firewall will confirm that the
other end is the proper IP address and such. When the FTP data connection
is broken (the file is transferred), the port is closed.
As a result, your client has NOT opened up outbound ports above 1024 for
FTP. The FTP proxy does that on an as-needed basis and under the firewalls
ruleset.
You are correct in that other applications may require specific ports to be
opened through the firewall. We do that here for specific purposes and,
almost always, only allow 1 port per application and only to and from
specific IP addresses. In all cases, they are to specific business partners
which are on our DMZ.
You might be able to talk me into opening up a few outbound ports. You'd
have a much harder time getting me to open up any inbound ports which don't
use a dynamic authentication mechanism approved by us and/or which talks to
software which we have total control of.
Note: on some firewalls, each port may require a separate proxy process. You
are asking him to fire up 250 proxies which is way more than I like to see
on mine at any time.
> -----Original Message-----
> From: Smith, Matthew [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, November 05, 1999 12:44 PM
> To: [EMAIL PROTECTED]
> Subject: Opening ports
>
> My company sells a client-server library automation application. In order
> to operate the clients behind a firewall, we require that 1 inbound port
> plus one inbound port per client and 250 outbound ports (total) be opened
> at
> the firewall. The 2 inbound ports are for the logon and control
> connections
> and the outbound ports are to allow for up to 250 concurrent connections
> to
> the server.
>
> Now, here's the rub. We have a client who believes that the design is
> flawed. In fact his response was why even have a firewall if you have to
> open that many ports? He insists that it is impossible to open that many
> ports on his firewall and also that he cannot open a range of ports, only
> individual ones. I am no firewall expert, but this doesn't sound right to
> me. If he wants to allow ftp, he has to open all outbound ports above
> 1024,
> right? I would assume that other client-server applications also require
> opening ports - you can't communicate without them. Am I missing
> something
> here? Any enlightenment (or ammunition) would be greatly appreciated.
> Thanks.
>
> Matthew
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
