How can I connect through passive mode and also enforce a specific port for data control?

+1 vote
asked Apr 13, 2010 by user-73 (google) (160 points)
edited Sep 14, 2012

I've been using the Rebex FTP Component for some time now just fine with the examples and tutorials on your main page. However I have a problem now where there is a very restrictive firewall and I am connecting with FTP explicit and port 990, and the connection is fine but once I try to upload files I do not know what port it is going through and I cannot open my firewall accordingly.

I'd like to know how to connect through secure ftp, passive mode, and doing data control on a port I specify so I may open it in my firewall.

Applies to: Rebex FTP/SSL

1 Answer

+1 vote
answered Apr 13, 2010 by Lukas Pokorny (128,250 points)
edited Sep 14, 2012
Best answer

In passive mode FTP, this is how the data connection is initialized:

  1. The FTP client asks the FTP server for an IP and port to connect to (using the PASV command).
  2. The FTP server supplies the IP (usually the same as the main connection IP) and the port to the client.
  3. The FTP client connects to the specified port at the FTP server.

Unfortunately, this means that the destination port of the data connection is supplied by the server and an FTP client doesn't have any control over it. An FTP client can't instruct the server to listen on a specific port - it has to accept what was offered.

The fact that FTP data connections don't use a fixed port number causes lots of problems with firewalls and this is further complicated when TLS/SSL security is used as well. There is even an Internet draft document dedicated solely to this and it's a must-read for anyone trying to understand the matter.

Possible solutions:

  1. Nearly all FTP servers make it possible to specify a port range for data ports. If you have control over the FTP server, configure it to only use a certain range (don't make it to narrow) and configure the firewall to allow these.
  2. If non-secure FTP works fine over your firewall, it is most likely a content-aware firewall that needs to be able to see the FTP communication to do its work. TLS/SSL makes this impossible. You might use Ftp object's ClearCommandChannel to revert back to unencrypted FTP control connection after logging in (data connections can stay encrypted after this), enabling the firewall to work again in exchange for a degree of security.
  3. If possible, use SFTP instead of FTP or FTPS. It's a more modern protocol that only uses a single TCP connection (to port 22 by default) for all its data, which makes it much easier for firewalls to handle it.

(I didn't mention a possibility of using active FTP mode instead of passive mode because this mode is even less firewall-friendly. Also, I didn't mention the possibility to specify source ports for FTP data connections because most firewalls are configured to filter outgoing connections based on destination ports, not source ports.)

commented Apr 13, 2010 by user-73 (google) (160 points)
Thank you for the detailed reply. A few more questions just to ensure they are correct. When using a Rebex.Net.Ftp object, if you set its property "Passive" to true then it will ignore its "DataPortRange" property. Also if the "Passive" property is not set, does it default to false and become an active mode data connection?
commented Apr 13, 2010 by Lukas Pokorny (128,250 points)
When "Passive" is set to true, "DataPortRange" is used for source ports of the data connection. This usually doesn't make any difference - most firewall are configured to filter outgoing connections based on destination ports only - and it makes sense because by default, source ports are assigned randomly. (Every TCP connection is has one because it consists of [source IP, source port, destination IP, destination port, protocol], also called a 5-tuple.)
commented Apr 13, 2010 by Lukas Pokorny (128,250 points)
"Passive" is set to true by default. If you set it to false, active mode data connections will be used. In active mode, data connections are established by the FTP server connecting an IP/port at the client, which is even less firewall-friendly than passive mode.
commented Oct 19, 2010 by Martin Vobr (12,950 points)
edited Sep 14, 2012