Re: NETwork: FTP Server/SonicWall

Fri, 08 Sep 2006 15:19:27 -0700 

On Fri, 8 Sep 2006, Rod Lindgren wrote:
I am using passive. Can you tell me more about the "Both Ports?" 


This web article does a very good job of describing the 
difference between active and passive FTP:


 --------------------------
<http://slacksite.com/other/ftp.html>

Summary


The following chart should help admins remember how each FTP 
mode works:


 Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

 Passive FTP :
     command : client >1023 -> server 21
     data    : client >1023 -> server >1023


A quick summary of the pros and cons of active vs. passive FTP 
is also in order:



Active FTP is beneficial to the FTP server admin, but 
detrimental to the client side admin. The FTP server attempts 
to make connections to random high ports on the client, which 
would almost certainly be blocked by a firewall on the client 
side. Passive FTP is beneficial to the client, but detrimental 
to the FTP server admin. The client will make both connections 
to the server, but one of them will be to a random high port, 
which would almost certainly be blocked by a firewall on the 
server side.



Luckily, there is somewhat of a compromise. Since admins 
running FTP servers will need to make their servers accessible 
to the greatest number of clients, they will almost certainly 
need to support passive FTP. The exposure of high level ports 
on the server can be minimized by specifying a limited port 
range for the FTP server to use. Thus, everything except for 
this range of ports can be firewalled on the server side. While 
this doesn't eliminate all risk to the server, it decreases it 
tremendously. See Appendix 1 for more information.

 --------------------------


BTW the web site has this little tidbit of info:


"A reader, Maarten Sjouw, pointed out that active FTP will not 
function when used in conjunction with a client-side NAT 
(Network Address Translation) device which is not smart enough 
to alter the IP address info in FTP packets."


--
               ----------------------------------------
To Change your email Address for this list, send the following message:
CHANGE  WIN-HOME  your_old_address  your_new_address
to:  [EMAIL PROTECTED]
Note carefully that both old and new addresses are required.






















					Reply via email to