Is there a standard port for (ftp over) TLS ? - Firewalls

This is a discussion on Is there a standard port for (ftp over) TLS ? - Firewalls ; I have to setup a ftp server and would like to enable TLS. I have to configure the firewall as well. Is there a different standard port for TLS (for ftp its 21)? Maybe its a pair of ports similarly ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Is there a standard port for (ftp over) TLS ?

  1. Is there a standard port for (ftp over) TLS ?

    I have to setup a ftp server and would like to enable TLS.

    I have to configure the firewall as well.

    Is there a different standard port for TLS (for ftp its 21)?

    Maybe its a pair of ports similarly to the standard ftp: 21 + 22
    One port for data and one port for protocol negotiations?

    Is there a difference if I use "implicit" or "explicit" TLS mode ?

    Marcus


  2. Re: Is there a standard port for (ftp over) TLS ?

    In comp.security.firewalls Marcus Mender wrote:
    > I have to setup a ftp server and would like to enable TLS.
    >
    > I have to configure the firewall as well.
    >
    > Is there a different standard port for TLS (for ftp its 21)?
    >
    > Maybe its a pair of ports similarly to the standard ftp: 21 + 22
    > One port for data and one port for protocol negotiations?


    Port 22/tcp is SSH, not FTP. FTP uses port 21/tcp inbound and either
    port 20/tcp outbound (active mode) or an arbitrary port > 1023/tcp
    inbound (passive mode).

    Anyway, since you want encryption and have to traverse a firewall it
    would probably be a better approach to dump FTP and use SSH instead.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: Is there a standard port for (ftp over) TLS ?

    Marcus Mender wrote:
    > I have to setup a ftp server and would like to enable TLS.
    >
    > I have to configure the firewall as well.
    >
    > Is there a different standard port for TLS (for ftp its 21)?
    >
    > Maybe its a pair of ports similarly to the standard ftp: 21 + 22
    > One port for data and one port for protocol negotiations?
    >
    > Is there a difference if I use "implicit" or "explicit" TLS mode ?


    ftps-data 989/tcp ftp protocol, data, over TLS/SSL
    ftps-data 989/udp ftp protocol, data, over TLS/SSL
    ftps 990/tcp ftp protocol, control, over TLS/SSL
    ftps 990/udp ftp protocol, control, over TLS/SSL

    versus the usual

    ftp-data 20/tcp File Transfer [Default Data]
    ftp-data 20/udp File Transfer [Default Data]
    ftp 21/tcp File Transfer [Control]
    ftp 21/udp File Transfer [Control]

    http://www.iana.org/assignments/port-numbers

  4. Re: Is there a standard port for (ftp over) TLS ?

    On Sun, 14 Jan 2007 13:35:18 +0000, Marcus Mender wrote:

    > Is there a different standard port for TLS (for ftp its 21)?


    No.

    > Maybe its a pair of ports similarly to the standard ftp: 21 + 22


    Active mode FTP data connections normally run over one port below that of
    the control connection (which indeed is defined, by IANA, to be 21; making
    the standard data port 20.)

    > One port for data and one port for protocol negotiations?


    Yes.

    And in active mode you know the data port beforehand. But since it is
    the server connecting, (from port 20) to a random port >1024 on the
    client, and you're encripting the negotiation; clients wount know which
    port to open and very probably disallow this...

    In passive mode you don't really know which port the server is gonna use,
    however you can define a 'port range' it should pick from, and let that
    through the firewall allong with port 21.

    http://www.ford-hutchinson.com/~fh-1...irewall-07.txt

    > Is there a difference if I use "implicit" or "explicit" TLS mode ?


    Yes. Either you or implicitly rely on the server to encript the data
    connection aswell, or explicitly tell it to, or not to, do so.

    The latter uses differend ports (990 control, and 989 active-mode data
    usually), however this methond this is besically deprecated.

    --
    -Menno.


  5. Re: Is there a standard port for (ftp over) TLS ?

    On Sun, 14 Jan 2007 20:15:42 +0100, Menno Duursma wrote:
    > On Sun, 14 Jan 2007 13:35:18 +0000, Marcus Mender wrote:


    [ FTPS stuff ]

    >> Is there a difference if I use "implicit" or "explicit" TLS mode ?

    >
    > Yes. Either you or implicitly rely on the server to encript the data
    > connection aswell, or explicitly tell it to, or not to, do so.
    >
    > The latter uses differend ports (990 control, and 989 active-mode data


    s/latter/former/

    ( However this is that 'later', and more widely supported, method
    conforming to RFC 4217 )

    > usually), however this methond this is besically deprecated.


    --
    -Menno.

  6. Re: Is there a standard port for (ftp over) TLS ?

    On Sun, 14 Jan 2007 13:35:18 +0000 Marcus Mender wrote:

    > I have to setup a ftp server and would like to enable TLS.
    >
    > I have to configure the firewall as well.
    >
    > Is there a different standard port for TLS (for ftp its 21)?


    No

    > Maybe its a pair of ports similarly to the standard ftp: 21 + 22


    Ports are 20 and 21 if you are speaking about active FTP [1].

    > One port for data and one port for protocol negotiations?


    Yes

    > Is there a difference if I use "implicit" or "explicit" TLS mode ?


    Yes, see http://en.wikipedia.org/wiki/FTPS:

    "Implicit FTPS is an older, but still widely implemented style in which
    the client connects to a different port (usually 990), and an SSL
    handshake is performed before any FTP commands are sent."

    > Marcus


    Basically the same decisions regarding firewalling (active or/and passive
    FTP) applies to the situation when using TLS secured FTP. But in addition,
    if your firewall is doing NAT as well there is a rather big chance that
    FTP connections with TLS security will fail.

    http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

    Alexander

    [1] http://slacksite.com/other/ftp.html


    --
    Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
    legal statement: http://www.uni-x.org/legal.html
    Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
    Serendipity 10:36:33 up 1 day, 12:03, load average: 0.22, 0.24, 0.19


  7. Re: Is there a standard port for (ftp over) TLS ?

    I'd suggest starting by scanning your services file for TLS and seeing
    all of the ports reserved for it. Try an internet search on TLS and also
    look at the RFCs for TLS. (RFC's are available on the internet too.)

    Phil Sherman


    Marcus Mender wrote:
    > I have to setup a ftp server and would like to enable TLS.
    >
    > I have to configure the firewall as well.
    >
    > Is there a different standard port for TLS (for ftp its 21)?
    >
    > Maybe its a pair of ports similarly to the standard ftp: 21 + 22
    > One port for data and one port for protocol negotiations?
    >
    > Is there a difference if I use "implicit" or "explicit" TLS mode ?
    >
    > Marcus
    >


  8. Smile Re: Is there a standard port for (ftp over) TLS ?

    Hi
    This is good and useful information. But when i tried to add TLS and SSL ports to Isa 2004 rules i did not find TLS or SSL protocols, i only found TCP or UDP
    i was planing to make one rule like this:
    Name :Allow FTP
    Protocols :FTP- FTPS
    From :Internal
    To :External
    Condition :FTP Users (now it have tcp configured)

    inside condition i did not find TLS or SSL
    Can you help me ?

  9. Re: Is there a standard port for (ftp over) TLS ?

    can any one help me i wana know how to configure the PIX firewall to support FTP OVER SSL?

+ Reply to Thread