[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Passive FTP

To: "Sheflug" <sheflug [at] vuw.ac.nz>
Subject: [Sheflug] Passive FTP
From: "Stephen J. Turnbull" <nospam [at] sk.tsukuba.ac.jp>
Date: Thu, 24 Aug 2000 19:20:54 +0900 (JST)
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

I should get more sleep.

Thanks for the correction.

>>>>> "David" == David Mitchell <davem [at] fdgroup.co.uk> writes:

    David> In passive mode, the client sends the sever a 'PASV'
    David> command; the server listens on a random port R2, responds
    David> with a port number R2, then the *client* establishes the
    David> connection:

    David> C:R3 -> S:R2

And if you're thinking this is awf'ly complicated, it's because the
client probably cannot listen on port 20, which is restricted to root
on Unix systems.

I guess that is the rationale for using port 20 on the server in the
first place, so that the client has some confidence that the
connection is authorized by a responsible party on the server?

    David> Similarly, passive is a nightmare for firewall
    David> administrators to support servers; they have to allow
    David> incoming connections from any port to any port >= 1024 on
    David> the server, or have a clever layer-7 filter.

Is is really that bad?  I would put the server outside the firewall
proper, and listen only on 21.  Once you have a connection, the ftp
server itself can tell its host's ip filter which port to open, and as
a bonus, restrict it only to the known client host.

Admittedly, this means that to set up a server an internal entity must
cooperate with the firewall administration.  But that's what you want,
isn't it?  Otherwise the internal entity could run telnetd on port
21.[1]  The only other problems I can see have to do with who
administers and who pays for the routing hardware etc for the networks
out in the war zone.


Footnotes: 
[1]  Suggested by a half-clued colleague for personal use when our
Univ decided to put up a firewall.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- [Sheflug] Passive FTP
  - From: David Mitchell <davem [at] fdgroup.co.uk>

Prev by Date: [Sheflug] Passive FTP
Next by Date: Re: [Sheflug] Passive FTP
Prev by thread: [Sheflug] Passive FTP
Next by thread: Re: [Sheflug] Passive FTP
Index(es):
- Date
- Thread