Andrew Lawrence wrote:
>
> I need to know more about the differences between passive mode ftp and
> standard ftp (is it called this !).
> In particular what effect either has on the security of your site and what
> you need to do to enable each to pass through your firewall.
The principle difference is in which side opens up the data connection.
In active mode, the client issues a PORT command to the server, telling
the server what IP address and port it is going to listen on for the
connection; the server should then open the data connection back to that
address and port.
In passive mode, the client issues a PASV command to the server, and the
server sends back a response which includes an IP address and port; the
client should then open the data connection to the server.
Typically, in active mode, the client will be binding a high port, while
the server will be binding (p-1) (where p is the control port) - as this
is usually port 20, UNIX FTP servers that do this need to run as root
(else they can't bind a port < 1024).
A firewall that allows outgoing active FTP must therefore allow incoming
connections from hosts that have existing FTP control connections,
typically originating from (p-1) and destined to a high port (which may
be known to the firewall already, if it is running an application proxy
or it is a SPF which inspects the PORT commands). Even before inspecting
the PORT command, at least one port (namely (p-1)) is already known to
the firewall; in most cases this will be port 20, which allows for
static packet filters to be set up (incoming TCP from 20 to a
port>1023).
A firewall that allows passive FTP is often simpler - this can be easily
implemented (for example) just using packet filters that only allow
outgoing TCP connections. On the other hand, before the PASV command is
issued, no ports are known, making static packet filters more tricky
(typically it will require "allow outgoing TCP from port>1023 to
port>1023).
For `dumb' firewalls (i.e. simple packet filtering systems), allowing
passive mode only is more secure. For `smart' firewalls (i.e.
application proxy or SPFs) either can be supported, but active has the
advantage that once the PORT command has been inspected, all the details
of the expected connection attempt are known (client and server
addresses and ports) - and the necessary incoming `hole' can be opened
up for a short period while waiting for the connection attempt.
regards
gram
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
