Configuring Linux firewalls and routers for vsftp on a non-standard port

Ben Scott dragonhawk at gmail.com
Thu Mar 29 15:06:10 EDT 2007


On 3/29/07, Ted Roche <tedroche at tedroche.com> wrote:
> So, I've attempted to move ftp to a non-standard port,
[...]
> My question: Why did I have to add the passive address and port range to
> the ftp server to get it to work?

  FTP is a really broken protocol by today's standards.  The design
actually dates back to *before* TCP/IP was even created.  So it's
funky.  Specifically, FTP uses two channels (TCP sessions): One is
called the "command channel", the other is the "data channel".

  The command channel is always the server listening on TCP/21, and
the client connecting to same.  The client issues FTP commands over
this channels.  When data -- including directory listings -- needs to
be sent, a data channel is created and used.

  In "active mode" FTP, the *client* listens on an ephemeral port
(different for each FTP command).  The client specifies this port in
it's commands to the server.  The *server* initiates a connection back
to the client.  Data channel established.

  In passive mode, the server listens on an ephemeral port (again,
different for each FTP command).  The server specifies this port in
its responses to the client.  The client makes a second connection to
said port.  Data channel established.

  All these NAT boxes (both at your house, and all the people in the
world) rewrite IP packets to use different port numbers.  They handle
FTP by looking for TCP/21 traffic, monitoring the FTP commands, and
re-routing packets dynamically.  (The Linux NetFilter project calls
this "connection tracking" of "RELATED" connections.)

  When you changed your FTP server to a non-standard port number, the
NAT boxes had no way of knowing that port 8021 was now actually FTP
traffic.

  By configuring vsftpd to use a particular port range, and forwarding
that port range manually, you make it work.

-- Ben


More information about the gnhlug-discuss mailing list