OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tony Landells (ahlaustclear.com.au)
Date: Sun Jul 08 2001 - 18:28:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Troy,

    I'm sorry, but your description of normal (active) mode FTP is incorrect.
    tjktksoft.com said:
    > I wanted to point out that port 20 is for ftp data and port 21 is for
    > ftp commands.

    > When an ftp connection is made, the client connects to the server at
    > port 21. All communications occur on that channel.

    So far, so good.

    > When the server needs to send data to the client, it opens a
    > connection to port 20 on the client. When it makes the connection, it
    > allocates a local port > 1024 for its local port.

    No.

    When the client requests data from the server, the CLIENT allocates
    a random port number and tells the SERVER what it is, and then the
    SERVER opens a connection FROM port 20 to that random port on the
    client.

    > When a client requests passive ftp, the server opens a random port >
    > 1024 for listening. The client then opens a connection to that port.

    And then we're back on track again.

    > With both passive and regular ftp data connections, the server has a
    > local port > 1024 open. The distinction is that with passive ftp the
    > server does a "listen()," opening a port for incoming connections.
    > With regular ftp, the server does a "connect()" and the client must
    > open port 20 with "listen()."

    And obviously the summary is off-track because the information it's
    derived from is slightly wrong.

    Anyone doing this stuff would do well to look at the O'Reilly book
    "Building Internet Firewalls" by Chapman and Zwicky which describes
    the packet filtering characteristics of all the major protocols.

    As far as Axel's problem goes, I'm not sure what natd does with FTP
    connections (I usually give public servers a public address) but
    the server certainly passes its address back to the client for
    passive mode connections along with the port number the client
    needs to connect to (in normal or active mode the client sends its
    address and port number to the server).

    Some FTP clients will tell you what the ports are, which you can compare
    with logs on your firewall (assuming you're logging FTP connections).
    If the connection is actually timing out, you can also look at netstat
    on the various boxes to see what ports are being used.

    Otherwise, I'd suggest running natd in "verbose" mode to actually watch
    the translations--it may be altering some port numbers as well, which will
    throw things off.

    I hope there's some help in there somewhere...

    Tony 

    -- 
Tony Landells					<ahlaustclear.com.au>
Senior Network Engineer				Ph:  +61 3 9677 9319
Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message