Support for passive FTP

Discussion:

(too old to reply)

Alder

2003-12-18 01:35:26 UTC

I'd like to support passive mode FTP connections to my VMS FTP server,
but since it sits behind a firewall and NAT router, I want to minimize
the security risk by opening only those ports which the FTP server might
pass to the connecting client.

Does anyone have information on the range of ports used by either HGFTP
or the TCPIP Services for OpenVMS server when clients connect in passive
mode?

Thanks,
Alder

Joseph Huber

2003-12-18 10:21:25 UTC

Permalink

Post by Alder
I'd like to support passive mode FTP connections to my VMS FTP server,
but since it sits behind a firewall and NAT router, I want to minimize
the security risk by opening only those ports which the FTP server might
pass to the connecting client.
Does anyone have information on the range of ports used by either HGFTP
or the TCPIP Services for OpenVMS server when clients connect in passive
mode?

Which VMS and TCPIP versions ?

At least VMS 7.3 with TCPIP services 5.3 can do passive mode.
Use SET PASSIVE on the FTP prompt and see (if You have to update).

And Hunter Goatley's HGFTP does it also.

--
Joseph "Sepp" Huber, Muenchen http://www.huber-joseph.de/

Joseph Huber

2003-12-18 12:10:36 UTC

Permalink

Sorry, in my first reply , I overlooked the real question about the ports.

--
Joseph "Sepp" Huber, Muenchen http://www.huber-joseph.de/

Alder

2003-12-18 18:35:32 UTC

Permalink

Post by Joseph Huber
Which VMS and TCPIP versions ?

The FTP servers I have access to at the moment are HGFTP 3.1 and the one
included in HP TCP/IP Services 5.4.

Thanks,
Alder

Joseph Huber

2003-12-18 20:16:37 UTC

Permalink

Post by Alder

Post by Joseph Huber
Which VMS and TCPIP versions ?

The FTP servers I have access to at the moment are HGFTP 3.1 and the one
included in HP TCP/IP Services 5.4.

I don't claim to know much about the protocol, but
-since nobody else answered-
my understanding of the Passive FTP mode is, that the data transfer
goes over the same socket as the command transfer,
i.e. the FTP server does not open another port for the data.
I don't think You have to do anything special
on the firewall: if the FTP (command-)port 21 is open,
then passive FTP goes through, and does not open a different -blocked- port.

--
Joseph "Sepp" Huber, Muenchen http://www.huber-joseph.de/

b***@encompasserve.org

2003-12-18 21:35:55 UTC

Permalink

Post by Joseph Huber

Post by Alder

Post by Joseph Huber
Which VMS and TCPIP versions ?

The FTP servers I have access to at the moment are HGFTP 3.1 and the one
included in HP TCP/IP Services 5.4.

That understanding is not correct. Note that there is a distinction
between port and socket. A socket is an interface associated
with an end to end connection. That connection is uniquely identified
by a four-tuple: source IP, dest IP, source port, dest port.

Regardless of whether you are using passive or active mode FTP, the
server _ALWAYS_ uses a different socket for the data transfer. It
_NEVER_ uses the control connection.

With active mode FTP, the server allocates a fresh socket data
structure and uses source port 20 (or one less than the port on
which it accepted the control connection if that was on something
other than port 21) and whatever destination port the client
told it to use in its PORT command. It attempts to open
an outbound connection using that socket. (Some software may
use a random high port as the source of the non-passive mode
data connection. Not all firewalls tolerate this misbehavior well).

With passive mode FTP, the server allocates a fresh socket
data structure and an ephemeral port number and communicates
that ephemeral port number to the client in its response to the
client's PASV command. It listens for inbound connections to the
allocated ephemeral port number. When the client makes the connection,
the server accepts it.

In the complete absence of negotiation (no PORT command, no PASV
command), the default is for the server to allocate a socket and
open a connection from source port 20 to the port from which the
client initiated the control connection. That may be what you
were thinking of. But this default is never used in practice.
The problem is that if you use this default, you end up using the
same four-tuple of source IP, dest IP, source port, dest port for
every data connection. And connection re-use before the
MSL (maximum segment lifetime) has expired is problematic under
TCP -- you have the possibility of stale packets from the old
connection interfering with fresh packets on the new connection.
So every client in existence (barring pathologically stupid ones)
uses either the PORT or PASV command to negotiate non-default
ports for the data connections.

Post by Joseph Huber
I don't think You have to do anything special
on the firewall: if the FTP (command-)port 21 is open,
then passive FTP goes through, and does not open a different -blocked- port.

This is not the case. The command connection uses port 21. The
(passive mode) data connection will use a random high port. Some
firewalls monitor traffic involving TCP port 21 looking
for dialogue that identifies the negotiated data ports and
automatically opens pinholes to permit that traffic.

John Briggs

Alder

2003-12-19 00:28:51 UTC

Permalink

Post by b***@encompasserve.org
Some
firewalls monitor traffic involving TCP port 21 looking
for dialogue that identifies the negotiated data ports and
automatically opens pinholes to permit that traffic.

Unfortunately, not mine. ZoneAlarm Pro 4.0 on a W2K.

Regards,
Alder

Alder

2003-12-19 00:26:07 UTC

Permalink

Post by Joseph Huber
I don't claim to know much about the protocol, but
-since nobody else answered-
my understanding of the Passive FTP mode is, that the data transfer

Nope. Here's a link to a decent explanation of what I'm up against:

http://slacksite.com/other/ftp.html

Cheers,
Alder

Bob Koehler

2003-12-19 14:47:41 UTC

Permalink

Post by Joseph Huber
I don't claim to know much about the protocol, but
-since nobody else answered-
my understanding of the Passive FTP mode is, that the data transfer
goes over the same socket as the command transfer,
i.e. the FTP server does not open another port for the data.
I don't think You have to do anything special
on the firewall: if the FTP (command-)port 21 is open,
then passive FTP goes through, and does not open a different -blocked- port.

Nope. Passive mode just changes which end initiates the data port.
In non-passsive mode the server gets a transfer request on the
control port which includes a data port number to connect to from the
client. In passive mode the server gets a transfer request on the
control port and tells the client which data port number to connect to.

The default data port is the control port for the client and the
adjacent port for the server, but both ends must support use of
non-default ports. Generally implementation doesn't care since the
port number is always sent on the control port, you just open
whatever port the message says.

JF Mezei

2003-12-19 20:34:23 UTC

Permalink

Post by Bob Koehler
The default data port is the control port for the client and the
adjacent port for the server, but both ends must support use of
non-default ports. Generally implementation doesn't care since the
port number is always sent on the control port, you just open
whatever port the message says.

That doesn't solve the problem. When a client tells a VMS FTP server it wants
to be PASV, (passive), the VMS FTP server responds with a port number the
client should use to connect to the FTP server for the actual data transfer.

The original poster wanted to know in what range the FTP server would choose
the port numbers.

Personally, I avoided the problem by setting the default host on my NAT
setting to be the one I want FTP transfers to go to. So any request to connect
to some random port goes to one VMS machine.

I've looked at the TCPIP documentation and I have seen no mention of port
range used by FTP in passive mode.

The FTP standard only stipulates that the default data port is the FTP
standard port (21) - 1 (so port 20).

The output of the PASV command provides insight as to what sort of port VMS
will tell the client to use. It is a sequence of 6 digits. The first 4
represent the dotted IP address, and the last 2 represent the 2 bytes making
up the port number. (first of the 2 is high order).

On my 3100, it gives me 240,121 ( or port 61561) ( TCPIP Services 5.3-2)
On my all mighty microvax II, : 4,155 (or port 1179) (TCPIP Services 5.0-A)

Hunter Goatley

2003-12-21 03:57:56 UTC

Permalink

HGFTP just uses random ports above 1024. There's (currently) no way to
limit the port range for the connections.

Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
PreciseMail Anti-Spam from Process Software
***@goatley.com, http://www.goatley.com/hunter/

David M Smith

2003-12-22 21:04:52 UTC

Permalink

In older version of TCP/IP there is no control over the port range, and I don't
know how to tell what the range is. On newer versions (at least V5.3 which I am
running) I think you can query the range and change it, if you need to. Use the
following sequence to check the current range:

$ @sys$manager:TCPIP$DEFINE_COMMANDS.COM
$ sysconfig -q inet

and then look at the values returned for ipport_userreserved_min and
ipport_userreserved -- I think this is the range. Here is what I get on my
system:

ipport_userreserved = 65535
ipport_userreserved_min = 49152

I think this means the range of "ephemeral ports" is 49152 to 65535. This is
described in section 2.2.2.8 of the Tuning and Troubleshooting manual. See, for
example:

http://h71000.www7.hp.com/doc/73final/6631/6631pro_003.html#connect_port_range

-------------------------------------------------------------------------
David M. Smith 302.391.8533 dsmit115 at csc dot com
Computer Sciences Corporation (Opinions are those of the writer only)
-------------------------------------------------------------------------