Re: Passive means what during FTP?

From: Robert Nichols (SEE_SIGNATURE_at_localhost.localdomain.invalid)
Date: 05/31/05

• Previous message: jimbo: "Re: New to linux, 2 hard drives, dual boot"
• In reply to: case: "Passive means what during FTP?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Tue, 31 May 2005 15:36:13 +0000 (UTC)

In article <d7h10k$1j8e$1@mail.cn99.com>, case <case@c.com> wrote:
:ftp> put client.conf
:local: client.conf remote: client.conf
:227 Entering Passive Mode (192,168,0,152,238,18)
:ftp: connect: No route to host
:ftp> passive
:Passive mode off.
:ftp> put client.conf
:local: client.conf remote: client.conf
:200 PORT command successful. Consider using PASV.
:150 Ok to send data.
:###
:226 File receive OK.
:3590 bytes sent in 0.0394 secs (89 Kbytes/sec)
:
:Why file trasfer failed in Passive mode?

The FTP data transfer uses a connection that is separate from the
control connection. Active vs. passive mode selects whether it is the
server or the client that opens the data connection. Firewalls can
prevent one or the other (or both!) from working.

Active mode:
    Over the control connection, the client tells the server what IP
address and port number to connect to for the data transfer. The server
opens a connection from its own port 20 (FTP-Data). A server firewall
needs to allow the outgoing port 20 connection. A firewall on the
client needs to be clever enough to look inside the control packet to
find the port number and then allow the incoming data connection.

Passive mode:
    Just the reverse of the above. The server tells the client what IP
address and port number to connect to for the data transfer. The client
opens a connection from its own port 20 (FTP-Data). A client firewall
needs to allow the outgoing port 20 connection. A firewall on the
server needs to be clever enough to look inside the control packet to
find the port number and then allow the incoming data connection.

In both cases, any intervening NAT routers introduce an additional
layer of complexity. Suffice to say they need to be "FTP-aware".

-- 
Bob Nichols         AT comcast.net I am "rnichols42"

---

• Previous message: jimbo: "Re: New to linux, 2 hard drives, dual boot"
• In reply to: case: "Passive means what during FTP?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages RE: Telnet/ftp problems SBS2000 ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ... (microsoft.public.windows.server.sbs) Re: IPSwitch, Inc. WS_FTP Server ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ... (Bugtraq) RE: FTP Window of opportunity? ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ... (Pen-Test) Re: Iptables FTP question ... think all other related would be from specific modules,the FTP and IRC ... Keep in mind that connection ... source port of 20 if it is for port mode data connections(for a standard ... I would also break down your rules into chains instead of appending such ... (comp.security.firewalls) Re: vsftpd working but not with Internet Explorer ... My guess is that IE is using passive mode by default. ... In passive mode Firewalls in front of the ftp server (or on the ftp ... In passive mode the server actually finds a free port (by default from ... (alt.os.linux)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)