Passive port range not used in Plain-FTP
Moderator: Project members
Passive port range not used in Plain-FTP
Hi,
I'm facing a strange behaviour when connecting to my FTP Server from the outside.
1 - Filezilla Server is set to use port range 4000-5000.
2 - Connecting from LAN in plain FTP uses one of the specified port range when going into passive mode.
3 - Connecting from the outside in plain FTP uses a random port (last test gave me port 17868 for example).
4 - Connecting from LAN or outside in FTPS, both gave me a port from the defined port range.
I'm trying to figure out why this is happening when connecting from the outside in plain FTP...
If someone could give me a hint as for why, it would be greatly appreciated
Thanks
I'm facing a strange behaviour when connecting to my FTP Server from the outside.
1 - Filezilla Server is set to use port range 4000-5000.
2 - Connecting from LAN in plain FTP uses one of the specified port range when going into passive mode.
3 - Connecting from the outside in plain FTP uses a random port (last test gave me port 17868 for example).
4 - Connecting from LAN or outside in FTPS, both gave me a port from the defined port range.
I'm trying to figure out why this is happening when connecting from the outside in plain FTP...
If someone could give me a hint as for why, it would be greatly appreciated
Thanks
Re: Passive port range not used in Plain-FTP
You have a faulty firewall or NAT router that sabotages the connection by arbitrarily changing the data exchanged.
Re: Passive port range not used in Plain-FTP
This is something not right, I don't see any reason as to why it could happen in plain FTP and not FTPS.
Client log:
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,72,115)
Server log:
(x.x.x.x)> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,16,54)
Network connections on the server during session:
As you can see in the server log, client was assigned port 4150 and it's confirmed in the network monitor. So where does port 18547 come from?
I don't see any reason for my Fortigate firewall to mess this up, but I'll see if we can further look into for diagnosis.
Thanks for your help
Client log:
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,72,115)
Server log:
(x.x.x.x)> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,16,54)
Network connections on the server during session:
As you can see in the server log, client was assigned port 4150 and it's confirmed in the network monitor. So where does port 18547 come from?
I don't see any reason for my Fortigate firewall to mess this up, but I'll see if we can further look into for diagnosis.
Thanks for your help
Re: Passive port range not used in Plain-FTP
FTPS traffic cannot be sabotaged by firewalls because of the end-to-end encryption.This is something not right, I don't see any reason as to why it could happen in plain FTP and not FTPS.
In Passive mode, all ports are at the server side, the client is NOT assigned ANY port. The client is merely told the port to connect to.
Server proposes port 4150 to the client (16*256+54), which is inside your set range. That information is sabotaged by the firewall and exchanged with other information (port remapping). Easily done because the traffic isn't encrypted, everything and anything can be read and modified by each and every station/node the traffic flows through. That includes passwords.
FTPS traffic is encrypted and looks like just binary gibberish to the firewall. Unrecognized traffic cannot be sabotaged.
Analogy:
Plain FTP = postcard
FTPS = letter written in unbroken Enigma code
As postman, which of the two you can read/modify easily?
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Passive port range not used in Plain-FTP
Thanks you for pointing me into the right direction and for your explanations.
As you said the firewall was the culprit, FTP session helper messed up the whole thing
As you said the firewall was the culprit, FTP session helper messed up the whole thing
Re: Passive port range not used in Plain-FTP
Ah yes, "helpers".
-
- 500 Command not understood
- Posts: 1
- Joined: 2018-07-31 20:16
- First name: Navishkar
- Last name: Sadheo
Re: Passive port range not used in Plain-FTP
OMG! Thank you guys so so much. I have been breaking my head trying to figure this out as well. Was also an issue on my firewall. Something to do packet inspection or something like that. You guys pointed me in the right direction.
#appreciate
#appreciate
-
- 504 Command not implemented
- Posts: 8
- Joined: 2016-08-12 14:48
- First name: Standard
- Last name: Tool
Re: Passive port range not used in Plain-FTP
How did you eventually fix the issue?