01-19-2004 08:28 AM - edited 03-09-2019 06:10 AM
Folks,
I have an FTP server behind my firewall. I want to use a differnt port for security reasons. If i understand FTP correctly, the client when in active mode tells the ftp server what port it is listening to for data transfer. Many ftp programs have port 21 for setup and 20 for data transfer. If i want to use port 40 for setup and 41 for data trasfer, what ports do i need to open on my firewall? also how would i specify the ports on an ftp client? do ftp clients let you decide which ports to use for setup and data transfer? any recommendations?
Thanks
01-19-2004 10:19 AM
On the pix you'll need to configure access for the client coming in:
access-list inbound permit tcp host clientip host serverip eq 40
access-group inbound in interface outside
You'll need to configure fixup protocol:
fixup protocol ftp 40
01-19-2004 11:35 AM
thanks!
Please correct me if i am wrong.
When a user FTP's from a command prompt on his PC, his PC is using active FTP. That means that the client connects at port 21 and tells the ftp server that it is expecting a connection at port 20 for data transfer.
If i connect to an FTP server behind a firewall at a port other than 21, would the client still tell the server to connect at port 20 even thought it is connecting to the server at a port other than 21.
How would the firewall behave? if the FTP server is behind the firewall. and the client is connecting over the internet.
01-19-2004 12:36 PM
Active FTP means that the server will initiate a connection back to the client for data transfers on the port requested by the client. The connection will be SOURCED from port 20 destined to the client's requested port.
Changing FTP ports can be very problematic. Although your Pix firewall can dynamically figure it out using Fixup, the client may not have such a functional firewall. Some clients have have issues connecting to the data port, especially in Active mode where the remote client's firewall has to let the traffic back in. How will the remote firewall know that this new connection is part of an FTP session if it started on a port other than 21? Passive mode works best in these situations.
-S
01-19-2004 04:15 PM
Many thanks for your response, could you please elaborate on the passive mode please. I am sitting on PC connected to the internet and want to FTP to a server that is behind a Firewall . The ftp server is configured to use port 40 and port 21 for ftp setup.
what should i do on the pix so that i can inticiate FTP connections to the ftp server at port 40.
Thanks
01-19-2004 06:24 PM
Here's a good link that explains exactly how passive vs active works:
http://slacksite.com/other/ftp.html
If you're connecting in passive mode and the Pix in question is on your side, you shouldn't need to do anything else assuming you haven't configured you're pix to block the outbound ports in question.
In passive mode, both connections are initiated by the client to the server. These will be outbound sessions through your pix so they will be allowed by default.
If you're using passive and it's not working, the remote firewall or server is probably the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide