Hunkeler Peter , KIUK 3 wrote:
I think this will depend on whether you are using "active" or
"passive"
ftp. With "active" ftp, all data connections are originated from the
__server__ to the client, using port 20 on the server. There are no
ephemeral ports used. Ephemeral ports are only used for "passive" ftp
transfers. That's where an ephermeral port is allocated by the ftp
server, which listens on that port, and connected to by the client. Or
do I have that backwards again??
Nope, you have it correct. When using active ftp the server is really
the client and the client is really the sever for the actual data
transfer connection. The sever always uses port 20 as the source port
and the client side uses ephemeral ports.
But in passive mode both sides are using ephemeral ports, right? Isn't
passive mode more often used in todays firewalled environments?
Peter Hunkeler
CREDIT SUISSE
Correct, passive uses ephemeral ports on both sides. I am not sure
which is use more, the ftp client that Windows provides does not support
passive and I would say that for non-interactive transfered that are
initiated on a Window box that the MS provided client would be use the
majority of the time.
Most other platforms support passive ftp from the command line out of
the box, so the *nix world may be passive.
SSL'ed FTP only supports passive so anything that does SSL is only passive.
It is really weird, passive was to help resolve issues with firewalls,
as it prevents allowing inbound connections to the client. However it
assume that the ftp sever was in-front of a firewall. If the ftp sever
is behind a firewall then it required a rule to allow inbound
connections from any ephemeral port to any ephemeral ports. Doesn't
sound to secure does it? So the firewall people started monitoring the
control session to intercept the PORT command and dynamically created a
rule for the specific IP addresses and the source port from the client.
Now for SSL'ed ftp the control session is encrypted so you have issues
when doing SSL'ed ftp when the server is behind a firewall. But there
are ways around the issues.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
