Re: [TCLUG:18144] Passive FTP

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:18144] Passive FTP
From: David Wood <jbevren@yahoo.com>
Date: Thu, 25 May 2000 16:10:33 -0500 (CDT)
In-Reply-To: <4.3.1.2.20000524235909.02270008@pop.mn.mediaone.net>
Sender: jbevren@cerberus.visi.com

LONG REPLY but quite informative for the curious.
(quick summary at end)

On Thu, 25 May 2000, Jeffrey C. Lehman wrote:

> I'm wondering if someone could explain or tell me where some good 
> documentation is regarding passive ftp transfer.  If the default port for 
> ftp is on 21 i think passive ftp also needs port 20.  If the port was 
> higher up, say port 25000, would passive use the next lowest port, 
> 24999?  I'm also wondering if someone could explain what input and output 
> commands i'd need for ipchains.  TIA.
> 
> Jeff

Here's a quick hands-on example of passive FTP: 
What I type will be in {}, what the server responds is in plaintext.
My comments are in []

-=-

[jbevren@cerberus jbevren]$ {telnet localhost 21}

[of course, port 21 is the ftp port]

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 cerberus FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT
1999) ready.

{user jbevren}

331 Password required for jbevren.

{pass <password>}

230 User jbevren logged in.

{pasv}

[this is what your client sends to indicate that passive mode is needed]

227 Entering Passive Mode (127,0,0,1,244,246)

[this is the magical line.  Look at the numbers.
  127.0.0.1 is the address to connect to,
  244,246 are a pair of octets indicating the port to connect to.
  244*256+246=62710.  I telnet localhost 62710 in another terminal,
   and get an open connection.  The tranfer phase is prepared.]

{list}

150 Opening ASCII mode data connection for /bin/ls.

[at this point, the directory scrolls through the other terminal.  One
    of the files is tfb.tcl.]

226 Transfer complete.

[the connection I made previously is closed.]

{pasv}

[this must be done for EVERY transfer to be made.]

227 Entering Passive Mode (127,0,0,1,122,244)

[ 122*256+244=31476, I telnet to port 31476, connect.]

{get tfb.tcl}
500 'GET tfb.tcl': command not understood.

[oops <:-)]

{retr tfb.tcl}
150 Opening ASCII mode data connection for tfb.tcl (7328 bytes).

[tfb.tcl dumps out in the other window..]

226 Transfer complete.

[and its connection is closed by foreign host]

{quit}

221 Goodbye.

[bye]

Connection closed by foreign host.
[jbevren@cerberus jbevren]$ 

-=-

Passive ftp is quite simple to write for, but not so simple to set up chains
for.  I havent studied any ftp server documentation to see if you can tie a
server to a specific ftp port for passive transfers.  However, it can be
difficult for a server to serve more than one transfer at once if there's
only one or a few ports available.  Your mileage, of course, will vary.  I
recommend, if you can, tying the ftp server to a set of ports at 65000 to
65535, and setting ipchains up appropriately.  Active FTP, of course, is
always more secure, break-in wise, since the ftp server makes the transfer
connection instead of accepting it.

-David

Follow-Ups:
- Re: [TCLUG:18144] Passive FTP
  - From: "Jeffrey C. Lehman" <jeffclehman@mediaone.net>
- Re: [TCLUG:18144] Passive FTP
  - From: Mike Hicks <hick0088@tc.umn.edu>

References:
- Passive FTP
  - From: "Jeffrey C. Lehman" <jeffclehman@mediaone.net>

Prev by Date: Re: [TCLUG:18154] writing audio CDs
Next by Date: why disconnects?
Prev by thread: Re: [TCLUG:18144] Passive FTP
Next by thread: Re: [TCLUG:18144] Passive FTP
Index(es):
- Date
- Thread