>From a book that I am working on. The figures would help, but you'll have to buy the book for that! ;-)
FTP Active Mode 1 The client sends a TCP SYN to the well-known FTP control port (port 21) on the server. The client uses an ephemeral port as its source port. (Ephemeral means short-lived, not well-known, and greater than 1023.) 2 The server sends the client a SYN ACK from port 21 to the ephemeral port on the client. 3 The client sends an ACK. The client uses this connection to send FTP commands, and the server uses this connection to send FTP replies. 4 When the user requests a directory listing or initiates the sending or receiving of a file, the client software sends a PORT command that includes an ephemeral port number that the client wishes the server to use when opening the data connection. 5 The server sends a SYN from port 20 (FTP data) to the client's ephemeral port number, which was provided to the server in the client's PORT command. 6 The client sends a SYN ACK from its ephemeral port to port 20. 7 The server sends an ACK. 8 The host that is sending data uses this new connection to send the data in TCP segments, which the other host ACKs. (With some commands, such as STOR, the client sends data. With other commands, such as RETR, the server sends data.) 9 After the data transfer is complete, the host sending data closes the data connection with a FIN, which the other host ACKs. The other host also sends its own FIN, which the sending host ACKs. 10 The client can send more commands on the control connection, which may cause additional data connections to be opened and then closed. At some point, when the user is finished, the client closes the control connection with a FIN. The server ACKs the client's FIN. The server also sends its own FIN, which the client ACKs. FTP Passive Mode The steps for passive FTP are described in the following list. Steps 1-3 are the same as the first three steps for active mode. Also, steps 9-11 are the same as the last three steps for active mode. 1 The client sends a TCP SYN to the well-known FTP control port (port 21) on the server. The client uses an ephemeral port as the source port. 2 The server sends the client a SYN ACK from port 21 to the ephemeral port on the client. 3 The client sends an ACK. The client uses this connection to send FTP commands, and the server uses the connection to send FTP replies. 4 When the user requests a directory listing or initiates the sending or receiving of a file, the client software sends a PASV command to the server indicating the desire to enter passive mode. 5 The server replies. The reply includes an ephemeral port number that the client should use when opening the connection for data transfer. 6 The client sends a SYN from a client-selected ephemeral port to the server's ephemeral port number, which was provided to the client in the reply to the client's PASV command. 7 The server sends a SYN ACK from its ephemeral port to the client's ephemeral port. 8 The client sends an ACK. 9 The host that is sending data uses this new connection to send the data in TCP segments, which the other host ACKs. (With some commands, such as STOR, the client sends data. With other commands, such as RETR, the server sends data.) 10 After the data transfer is complete, the host sending data closes the data connection with a FIN, which the other host ACKs. The other host also sends its own FIN, which the sending host ACKs. 11 The client can send more commands on the control session, which may cause additional data connections to be opened and then closed. At some point, when the user is finished, the client closes the control connection with a FIN. The server ACKs the client's FIN. The server also sends its own FIN, which the client ACKs. Priscilla At 12:34 AM 10/31/01, Jill Johnson wrote: >Thank you very much for all your help. > >I still don't quite understand about the Passive Mode. > >The idea of setting up this access-list is for the users to dial in from >home and to be >able to do FTP to the servers at work. > >Thanks. > >Jill > >Jonathan Hays wrote: > > > Priscilla Oppenheimer wrote: > > > > > If it's not passive mode, the data channel is initiated by the server >from > > > port 20 (FTP data) to the ephemeral port provided by the client in its >PORT > > > command. Ephemeral just means a short-lived port with a number greater >than > > > 1023. > > > > > > If it is passive mode, then the data channel is initiated by the client > > > from an ephemeral port to an ephemeral port provided by the server in its > > > PASV command. > > > > > > In other words, access lists with FTP are tricky. > > > > > > Priscilla > > > > > > At 03:14 PM 10/30/01, Jonathan Hays wrote: > > > >Don't we also want a ACL line for the ftp data channel? > > > > > > > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > > > > > > > >And if the server is using passive ftp > > > > > > > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established > > > > Oops, you're right! I'm getting a bit rusty... > > > > The "ftp-data" entry would allow data connections from an external ftp > > server to ftp > > sessions initiated by the LAN client which is not what the original poster > > wanted. > > > > However, the "gt 1023 established" entry should allow access for Internet > > clients to the > > LAN ftp server doing passive ftp. But it does open things up a bit too much > > for the > > comfort of most paranoid sysadmins. ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24751&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
