Clarification on FTP Server Implementation of PASV - TCP-IP

This is a discussion on Clarification on FTP Server Implementation of PASV - TCP-IP ; When an FTP Server implements the PASV command to enter passive mode, is it allowed to change both the IP address as well as the server port? We are finding that with at least one commercial firewall the PASV support ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Clarification on FTP Server Implementation of PASV

  1. Clarification on FTP Server Implementation of PASV

    When an FTP Server implements the PASV command to enter passive mode, is it
    allowed to change both the IP address as well as the server port? We are
    finding that with at least one commercial firewall the PASV support is
    breaking when the FTP server enters passive mode and changes its IP address.
    I want to verify that it is legal behavior for the FTP server to do this
    before complaining too much to firewall vendor.

    --
    Will



  2. Re: Clarification on FTP Server Implementation of PASV

    In article <4KidnY26g60tmFvVnZ2dnUVZ_hydnZ2d@giganews.com>,
    "Will" wrote:

    > When an FTP Server implements the PASV command to enter passive mode, is it
    > allowed to change both the IP address as well as the server port? We are
    > finding that with at least one commercial firewall the PASV support is
    > breaking when the FTP server enters passive mode and changes its IP address.
    > I want to verify that it is legal behavior for the FTP server to do this
    > before complaining too much to firewall vendor.


    Yes, it's allowed -- why else would the reply include the IP address, if
    it has to be the same as the original server IP?

    However, firewalls are often more restrictive than the basic protocols
    are. Many protocols were designed with little consideration given to
    the security implications, and firewalls are supposed to protect you
    from attempts to exploit these features.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  3. Re: Clarification on FTP Server Implementation of PASV

    Hello,

    Barry Margolin a écrit :
    > "Will" wrote:
    >
    >
    >>When an FTP Server implements the PASV command to enter passive mode, is it
    >>allowed to change both the IP address as well as the server port?

    >
    > Yes, it's allowed -- why else would the reply include the IP address, if
    > it has to be the same as the original server IP?


    To keep consistency with the PORT reply format ?

    However note that the extended passive mode command EPSV (see RFC 2428)
    does not transmit the address thus assuming it is the same as the server
    address, although it is indicated that this may change in the future.
    Also it seems that some FTP clients ignore the address provided in the
    PASV reply.

    Providing a different address in the PORT command has been used for
    server-to-server direct transfer, sometimes referred to as "FXP". What
    has a different address in the PASV reply been used for ?

+ Reply to Thread