From: Dan Pontrelli (dp595@xxxxxxxxxxxxx)
Date: Mon Jul 29 2002 - 14:58:48 GMT-3
The answer is that it depends on whether the ftp server is running active or
passive FTP.
For active FTP you also need to allow the FTP server to initiate a
connection from port 20 to >1024 on the client (which if often seen as a
security risk since clients usually initiates TCP connections).
For passive FTP the server does not initiate any connections, and the client
initiates the data connection from a port >1024 to a port >1024 on the
server.
Some passive FTP servers allow you to specify a range of ports (for security
reasons) that the client may connect to for the data session when using
passive FTP, therfore if you know that range is 1050-1100 then you can allow
only that range.
Dan Pontrelli
CCIE# 8040
> Here's my concern.
> I've got several references that conflict. When simply allowing
> FTP services through the perimeter to a subnet or host on the
> intranet, is it <ftp-data> or <gt 1023>?
> The port 21 goes w/o question.
>
> Solie says w/ confidence that a common mistake w/ FTP is
> opening the ftp-data(port 20) when in fact a random port
> above 1023 is what's needed.
>
> I'll be labbing it out while waiting for feedback.
>
> KPalmer
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:48 GMT-3