On Fri, 5 Apr 2002, at 12:31pm, Morgan, Joshua wrote:
> Some clients expect the server to set the return port number, while others
> expect a return over a consistent port.

  Your explanation is incorrect.

  Under "normal" operation, the server listens on well-known TCP port 21
(ftp) for new connections.  Clients initiate connections to that port, and
use that connection as the "control channel".  When a data transfer (PUT,
GET, LIST, etc.) is performed, the client sends a PORT command.  The PORT
command specifies a ephemeral TCP port the *client* will listen on.  The
server initiates a connection to that port, with a well-known *source* port
of 20 (ftp-data).  This is the "data channel".

  Client                             Server
      *| ----- control-channel ----> |21
       |                             |        * = ephemeral port
      *| <---- data-channel -------- |20

  This was considered "secure" when FTP was designed, back in the good old
days.  Back then, everyone administering a system on the Internet knew each
other.  Since all those systems only allowed "trusted" programs to initiate
connections from ports less than 1024, anything coming from a source port
less than 1024 was considered "trusted".

  Today, of course, that is not true.  Even worse, since the design requires
arbitrary connections from *outside* your network be allowed *in*, it is
impossible to implement on a stateless firewall, and even with a stateful
firewall, many people consider it unacceptable, for a variety of reasons.

  So they invented passive mode.  The term "passive" applies to the server.  
The client sends a PASV command, and the server responds with an ephemeral
port on the server.  The client then initiates a connection to that port to
create the data channel.

  Client                             Server
      *| ----- control-channel ----> |21
       |                             |        * = ephemeral port
      *| ----- data-channel -------> |*

  Hope this helps!

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or  |
| organization.  All information is provided without warranty of any kind.  |



------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]

Reply via email to