ProFTPD Passive Transfers - Inexplicable Wierdness

I wasn't sure where else to post this, so this seemed like a good spot.
One of our customers was having difficulties establishing an active
FTP connection with our server, so I decided to attempt a passive
connection. The passive connection worked, but I am a little confused
as to why. I am using the ProFTPD ftp server that comes included with
the ClarkConnect Gatway package. It was my understanding that passive
connections had to be explicitly configured. In other words, you would
have to open up a range of unprivileged ports on the router and direct
them to the ftp server. I haven't done this, but the ftp transfer is
working correctly. How is this possible? Is it possible that the
router is opening these ports up on the fly? A quick check of netstat
shows that the data connection has been opened up on unprivileged ports
on both sides. I just want to know how this is working. Thanks.

-Vincent



Vincent

Vincent wrote:
> I wasn't sure where else to post this, so this seemed like a good spot.
> One of our customers was having difficulties establishing an active
> FTP connection with our server, so I decided to attempt a passive
> connection. The passive connection worked, but I am a little confused
> as to why. I am using the ProFTPD ftp server that comes included with
> the ClarkConnect Gatway package. It was my understanding that passive
> connections had to be explicitly configured. In other words, you would
> have to open up a range of unprivileged ports on the router and direct
> them to the ftp server. I haven't done this, but the ftp transfer is
> working correctly. How is this possible? Is it possible that the
> router is opening these ports up on the fly? A quick check of netstat
> shows that the data connection has been opened up on unprivileged ports
> on both sides. I just want to know how this is working. Thanks.

It could be the netfilter ftp conntrack/nat helpers - grep your .config
or maybe lsmod and see what shows up.

Andy.

I would suggest looking at the FTP server logs. The issue is likely
one of the following.

1. The machine your FTP server is on is behind a firewall and does not
have permission to connect to the active IP/port used by the FTP
client.

2. The client is behind a firewall and is unable to accept active
connections.

3. The client is using NAT and is reporting it's internal IP address
when sending the PORT command instead of the IP address of the external
NAT address.

In all cases look in your logs for the PORT command to see what IP/port
is being sent by the client. This will be in the following form

PORT x,x,x,x,y1,y2

x is the comma separated IP address and the port is (y1 * 256) + y2

Van Glass
JSCAPE
Managed File Transfer and Security Solutions
http://www.jscape.com/secureftpserver/

Vincent wrote:
> I wasn't sure where else to post this, so this seemed like a good spot.
> One of our customers was having difficulties establishing an active
> FTP connection with our server, so I decided to attempt a passive
> connection. The passive connection worked, but I am a little confused
> as to why. I am using the ProFTPD ftp server that comes included with
> the ClarkConnect Gatway package. It was my understanding that passive
> connections had to be explicitly configured. In other words, you would
> have to open up a range of unprivileged ports on the router and direct
> them to the ftp server. I haven't done this, but the ftp transfer is
> working correctly. How is this possible? Is it possible that the
> router is opening these ports up on the fly? A quick check of netstat
> shows that the data connection has been opened up on unprivileged ports
> on both sides. I just want to know how this is working. Thanks.
>
> -Vincent