Linux FTP exception in system-config-securitylevel --- Active Mode

[harmandeep]

Guys,i was practising with vsftpd with PASV and PORT modes.

I have a query regarding working of ftp client(another rhel box) in PORT mode.

Whenever i add exception for FTP in system-config-securitylevel (which indeed allows 21,22 tcp as per iptables and system-config-securitylevel files in /etc/sysconfig), mine FTP client works with a VSFTPD Server in PORT mode ( client is able to accept data from VSFTPD Port 20 to any high random port of the client ).

Now this is strange IMO because checking FTP as exception in this system-config-securitylevel allows INBOUND TCP Port 21 and 22. Whereas whenever i allow FTP on mine FTPClientSystem, FTP client works in PORT mode as though this exception is allowing INBOUND access to the Linux FTP client (/usr/bin/ftp).

If i don't add an excepton for FTP in the FTP client sytem, PORT mode doesn't works, and Wireshark trace reveals that VSFTPD Server Port 20 tried to reach to a high random port on Ftp client --- which was prohibited administratively.

Can anyone help in trying to reveal what actually is done by adding that FTP exception and howcome this FTP exception(which is intended for FTP Server) is helping out FTP client allowing INBOUND access to it ?

Both the Rhel Srrvr and Client are Virtual instances under VMware Workstation and VSFTPD server has been configured to only allow PORT connections.

Regards

 

[doofy.dog]

FTP works with a pair of ports called control and data ports.

Active mode of operation:

Pair of control ports:

Server - port 21

Client - port number greater than 1024, lets say 1034

Pair of data ports:

Server - port 20

Client - port number greater than 1024, lets say 1035



1) Client connects from its control port to server's control port [ c:1034 -> s:21]

2) Client sends the PORT command with the chosen data port (usually previosuly chosen port + 1 = (1035))

3) Server then connects from its data port to the client's data port [s:20 -> c:1035]

This method makes server configure easy (open ports 21 and 20) and client configuration difficult (allow connections to random ports)

Lot of firewalls do not allow initiation of connections from outside so this process is blocked in most configurations

For this to work, following should be done on client's firewall:

1. Firewall should be able to track ftp connections, this way they know what port number was sent in PORT command to which server

2. When data connection open request comes from a server (which is tracked by firewall) it will allow the request.



Passive mode of operation:

Pair of control ports:

Server - port 21

Client - port number greater than 1024, lets say 1034

Pair of data ports:

Server - port number greater than 1024, lets say 2035

Client - port number greater than 1024, lets say 1035



1) Client connects from its control port to server's control port [ c:1034 -> s:21]

2) Client issues a PASV command

3) Server then sends the PORT command to client with chosen data port (port number greater than 1024 (lets say 2035)

4) Client then initiates the connection from its data port [c:1035 -> s:2035]

Since client initiates the connections, client firewall need not track ftp connections and configuration is easy.

This method makes server configuration a little difficult (open port 21 and a set of data ports)

This problem is also solved by using ftp connection tracking feature in firewalls

For server configuration see : Iptables Open FTP Port 21 and 20

 

[harmandeep]

FTP works with a pair of ports called control and data ports.

Active mode of operation:

Pair of control ports:

Server - port 21

Client - port number greater than 1024, lets say 1034

Pair of data ports:

Server - port 20

Client - port number greater than 1024, lets say 1035



1) Client connects from its control port to server's control port [ c:1034 -> s:21]

2) Client sends the PORT command with the chosen data port (usually previosuly chosen port + 1 = (1035))

3) Server then connects from its data port to the client's data port [s:20 -> c:1035]

This method makes server configure easy (open ports 21 and 20) and client configuration difficult (allow connections to random ports)

Lot of firewalls do not allow initiation of connections from outside so this process is blocked in most configurations

For this to work, following should be done on client's firewall:

1. Firewall should be able to track ftp connections, this way they know what port number was sent in PORT command to which server

2. When data connection open request comes from a server (which is tracked by firewall) it will allow the request.



[/url]

Only the BOLD part has been questioned and it isn't answered ...

--- Updated Post - Automerged ---

and leave all the text related to PASV conn.

--- Updated Post - Automerged ---

FTP works with a pair of ports called control and data ports.

Active mode of operation:

Pair of control ports:

Server - port 21

Client - port number greater than 1024, lets say 1034

Pair of data ports:

Server - port 20

Client - port number greater than 1024, lets say 1035



1) Client connects from its control port to server's control port [ c:1034 -> s:21]

2) Client sends the PORT command with the chosen data port (usually previosuly chosen port + 1 = (1035))

0[/url]

This isn't true anymore IMO ,see the http://www.wupload.com/file/19066591/1.7z (Wireshark trace)

--- Updated Post - Automerged ---

Done --- check FTP exception in system-config-securitylevel --- Active Mode - Linux / UNIX Forum