Question about forwarding port 21 through a router

Hi,
I have a small Linksys Network EveryWhere Router.
I have enabled some port forwarding to let people gain access to my
web server, FTP server and SSHd on my Mandrake Linux 10.

Today, I was surprised to see in router config that FTP external port
21 was in fact forwarding to the internal port 20.

If I try to change the FTP internal port from 20 to 21, I will not be
able to add a SSH forward to port 22 (the router will give me an error
message). Plus, I will not be able to connect to my FTP server from
the outside world.

I tried resetting the router. And if I get back to the administration
page on the router, I see that the factory default for FTP forwarding
is external port = 21, internal port = 20. Unfortunately, this default
configuration works but I don't know why.
And If I let this like that, I'm able to add a port fowarding for SSH
to port 22.

So, basicaly, I can live with that but I find this odd... Does anybody
know why a FTP connection through my router configured to forward the
external port 21 to the internal port 21 won't work, but will work
when external port 21 point to internal port 20?

One last thing, if the router is configured to forward 21 external to
21 internal, my FTP client tells me that it is waiting for a
response. And I have a line that reads kike that :
SSH-1.99-OpenSSH_3.6.1p2. And it freezes there.

I hope you can understand my problem !
Thank your for your help!
-Dan

On Sun, 13 Jun 2004 23:33:05 -0400, Croa Crapaud <(E-Mail Removed)> wrote:
> Hi,
> I have a small Linksys Network EveryWhere Router.
> I have enabled some port forwarding to let people gain access to my
> web server, FTP server and SSHd on my Mandrake Linux 10.
>
> Today, I was surprised to see in router config that FTP external port
> 21 was in fact forwarding to the internal port 20.
>
> If I try to change the FTP internal port from 20 to 21, I will not be
> able to add a SSH forward to port 22 (the router will give me an error
> message). Plus, I will not be able to connect to my FTP server from
> the outside world.

You may be confused about the ports used for ftp. Non-passive ftp uses
both ports 21 (ftp) and 20 (ftp-data). So what you might be seeing in
your router config is that if you use an ftp client to destination port
21, that triggers opening incoming port 20 to the same local IP.

For more details, do a web search for 'rfc ftp'. But it is a bit
difficult to remember which way connections are initiated for active or
passive ftp-data (which is different from ftp port 21).

--
David Efflandt - All spam ignored http://www.de-srv.com/

(E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
> On Sun, 13 Jun 2004 23:33:05 -0400, Croa Crapaud <(E-Mail Removed)> wrote:
> > Hi,
> > I have a small Linksys Network EveryWhere Router.
> > I have enabled some port forwarding to let people gain access to my
> > web server, FTP server and SSHd on my Mandrake Linux 10.
> >
> > Today, I was surprised to see in router config that FTP external port
> > 21 was in fact forwarding to the internal port 20.
> >
> > If I try to change the FTP internal port from 20 to 21, I will not be
> > able to add a SSH forward to port 22 (the router will give me an error
> > message). Plus, I will not be able to connect to my FTP server from
> > the outside world.
>
> You may be confused about the ports used for ftp. Non-passive ftp uses
> both ports 21 (ftp) and 20 (ftp-data). So what you might be seeing in
> your router config is that if you use an ftp client to destination port
> 21, that triggers opening incoming port 20 to the same local IP.
>
> For more details, do a web search for 'rfc ftp'. But it is a bit
> difficult to remember which way connections are initiated for active or
> passive ftp-data (which is different from ftp port 21).

I always have to look it up just to reassure myself that I'm "doing it
right" ;-)

OP ...
Look here for a quick explanation of the ports/channels used and the
differences between active and passive sessions:
http://www.siliconvalleyccie.com/lin...ftp-server.htm
Port 21 is the control (command) channel and port 20 is the data
channel -- passive mode allows the client to arrange (high numbered)
ports used. It may be forwarding to port 20 as part of its passive
mode operation?

Without any specifics re: your router and it's fw rules (and how it
enforces them) it can be difficult to be sure why/how you would
reconfigure it to "work as expected". A quick look at this router:
http://www.linksys.com/products/prod...id=29&prid=433
didn't reveal any obvious answers -- except UPnP forwarding?

The packet filter is stateful so they can "pretty much" route/forward
as they choose. I also expect it may be because you are not running
the ftp server in the dmz.

Your answer will lie within the specifics of how your router is
"pre-configured" to handle different scenarios. The one I looked at
provides lots of goodies so it may have some "inflexible" settings
that make it easier/safer for end users. I think it's likely the dmz
is the only "on your own" area.

hth,
prg
email above disabled

Hi, thank you for your explainations! In fact, it's working right now
so I'll just let the config like that. I just wanted to understant why
and your replys were what I was looking for.
Thanks again!
-Dan

On 14 Jun 2004 08:23:10 -0700, (E-Mail Removed) (P Gentry)
wrote:

>(E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
>> On Sun, 13 Jun 2004 23:33:05 -0400, Croa Crapaud <(E-Mail Removed)> wrote:
>> > Hi,
>> > I have a small Linksys Network EveryWhere Router.
>> > I have enabled some port forwarding to let people gain access to my
>> > web server, FTP server and SSHd on my Mandrake Linux 10.
>> >
>> > Today, I was surprised to see in router config that FTP external port
>> > 21 was in fact forwarding to the internal port 20.
>> >
>> > If I try to change the FTP internal port from 20 to 21, I will not be
>> > able to add a SSH forward to port 22 (the router will give me an error
>> > message). Plus, I will not be able to connect to my FTP server from
>> > the outside world.
>>
>> You may be confused about the ports used for ftp. Non-passive ftp uses
>> both ports 21 (ftp) and 20 (ftp-data). So what you might be seeing in
>> your router config is that if you use an ftp client to destination port
>> 21, that triggers opening incoming port 20 to the same local IP.
>>
>> For more details, do a web search for 'rfc ftp'. But it is a bit
>> difficult to remember which way connections are initiated for active or
>> passive ftp-data (which is different from ftp port 21).
>
>I always have to look it up just to reassure myself that I'm "doing it
>right" ;-)
>
>OP ...
>Look here for a quick explanation of the ports/channels used and the
>differences between active and passive sessions:
>http://www.siliconvalleyccie.com/lin...ftp-server.htm
>Port 21 is the control (command) channel and port 20 is the data
>channel -- passive mode allows the client to arrange (high numbered)
>ports used. It may be forwarding to port 20 as part of its passive
>mode operation?
>
>Without any specifics re: your router and it's fw rules (and how it
>enforces them) it can be difficult to be sure why/how you would
>reconfigure it to "work as expected". A quick look at this router:
>http://www.linksys.com/products/prod...id=29&prid=433
>didn't reveal any obvious answers -- except UPnP forwarding?
>
>The packet filter is stateful so they can "pretty much" route/forward
>as they choose. I also expect it may be because you are not running
>the ftp server in the dmz.
>
>Your answer will lie within the specifics of how your router is
>"pre-configured" to handle different scenarios. The one I looked at
>provides lots of goodies so it may have some "inflexible" settings
>that make it easier/safer for end users. I think it's likely the dmz
>is the only "on your own" area.
>
>hth,
>prg
>email above disabled