Reputation: 1889
What Standard/RFC Specifies That Passive Mode FTP Ports Must Be Greater Than 1023?
I'm negotiating with our network admins on how they should configure their firewall to allow me to use my FTP client for passive mode with both FTP and FTPS, and they've asked for specific destination ports to permit through. It's been my understanding that FTP servers' responses to the PASV command will always specify ports greater than 1023, but I'm unable to find a standard or documentation which declares this explicitly!
RFC 959 appears to come close, because in section 5.3.2 it defines the BNF as follows:
<port-number> ::= <number>,<number>
<number> ::= any decimal integer 1 through 255
(although that's actually for the PORT command, but I assume it's assumed that the same format is used by the 227 response to PASV).
This was subsequently determined to be incorrect in Errata ID 3039, because of course the number should be 0 through 255. But this means that the port number could be ANY port number from 0 through 65535.
Why is it required to end up being in the non-System port range of 1024-65535? Is there some other RFC which says so?
Upvotes: 0
Views: 591
Answers (1)
Reputation: 598134
Have a look at RFC 1579 Firewall-Friendly FTP. It mentions the following (on the client side though, not the server side):
The FTP specification says that by default, all data transfers should be over a single connection. An active open is done by the server, from its port 20 to the same port on the client machine as was used for the control connection. The client does a passive open.
For better or worse, most current FTP clients do not behave that way. A new connection is used for each transfer; to avoid running afoul of TCP's TIMEWAIT state, the client picks a new port number each time and sends a PORT command announcing that to the server.
Neither scenario is firewall-friendly. If a packet filter is used (as, for example, provided by most modern routers), the data channel requests appear as incoming calls to unknown ports. Most firewalls are constructed to allow incoming calls only to certain believed-to- be-safe ports, such as SMTP. The usual compromise is to block only the "server" area, i.e., port numbers below 1024. But that strategy is risky; dangerous services such as X Windows live at higher- numbered ports.
Not really a definite requirement that a server must use a non-system port >= 1024. But it is a common practice in modern systems.
IIRC, on old systems, system ports 1-1023 were only usable in low-level system/kernel services (which is partly why they are reserved to begin with) and could not be used in user-mode apps that were not running with system privileges. So an FTP server could accept clients on port 21 and perform transfers on port 20, but not on any other system ports, so PASV port ranges had to be >= 1024.
Upvotes: 1
Related Questions
- Does Apache Commons Net FTPClient use passive or active mode by default?
- What is the maximum size for an FTP welcome message?
- C# FTPS FtpWebRequest set passive mode to use port range
- Why does FTP require port number to be split?
- Apache Camel - How to configure the data port range for FTP Client Active mode
- FTP Active Mode and multiplexing
- Passive socket not accepting ftp
- How to get port in FTP protocol from passive mode?
- When does FTP server accept passive data connection from client?
- Which FTP transfer modes are widely used?