We'd recently installed a Linux based Proxy/Gateway server and we'd used iptables to manage the firewall aspect of the server. However even though we'd port 21 open on this firewall, we were not able to initiate a data session to remote FTP site. Although connect and authentication sessions were happily working, but when a data session command like ls was issued, the client just couldn't connect to remote host. Solution to the problem was understood, after we read the RFC for FTP. The problem rested on design of FTP protocol. FTP can work in two modes, namely active and passive. Following figure illustrates the difference between the two:
So as illustrated in figure above the connection request to FTP server is made at port 21 and hence we were able to connect to remote host. However the data connection is established by server in an active connect mode. In this mode the server tries to connect to a port > 1024 on client side. Moreover server originates this request from port 20. This means that iptables or any other firewall would need to allow connect from port 20 of remote host to port > 1023. This can be a security risk at times and hence need for passive mode is felt.
In passive mode, client tries to connect to a port > 1023 on server. The client generates this request from port > 1023. Now if we enable ip_conntrack_ftp module via modprobe, then we can easily connect to remote FTP site and also initiate the data transfer.
0 comments:
Post a Comment