Passive port range not used in Plain-FTP

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
baystrow
500 Command not understood
Posts: 3
Joined: 2018-05-29 17:05

Passive port range not used in Plain-FTP

#1 Post by baystrow » 2018-05-29 17:31

Hi,

I'm facing a strange behaviour when connecting to my FTP Server from the outside.

1 - Filezilla Server is set to use port range 4000-5000.

2 - Connecting from LAN in plain FTP uses one of the specified port range when going into passive mode.

3 - Connecting from the outside in plain FTP uses a random port (last test gave me port 17868 for example).

4 - Connecting from LAN or outside in FTPS, both gave me a port from the defined port range.

I'm trying to figure out why this is happening when connecting from the outside in plain FTP...

If someone could give me a hint as for why, it would be greatly appreciated :)

Thanks

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Passive port range not used in Plain-FTP

#2 Post by botg » 2018-05-29 17:49

You have a faulty firewall or NAT router that sabotages the connection by arbitrarily changing the data exchanged.

baystrow
500 Command not understood
Posts: 3
Joined: 2018-05-29 17:05

Re: Passive port range not used in Plain-FTP

#3 Post by baystrow » 2018-05-29 18:50

This is something not right, I don't see any reason as to why it could happen in plain FTP and not FTPS.

Client log:
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,72,115)

Server log:
(x.x.x.x)> 227 Entering Passive Mode (xxx,xxx,xxx,xxx,16,54)

Network connections on the server during session:
Image

As you can see in the server log, client was assigned port 4150 and it's confirmed in the network monitor. So where does port 18547 come from?

I don't see any reason for my Fortigate firewall to mess this up, but I'll see if we can further look into for diagnosis.

Thanks for your help

User avatar
boco
Contributor
Posts: 26914
Joined: 2006-05-01 03:28
Location: Germany

Re: Passive port range not used in Plain-FTP

#4 Post by boco » 2018-05-29 20:40

This is something not right, I don't see any reason as to why it could happen in plain FTP and not FTPS.
FTPS traffic cannot be sabotaged by firewalls because of the end-to-end encryption.

In Passive mode, all ports are at the server side, the client is NOT assigned ANY port. The client is merely told the port to connect to.

Server proposes port 4150 to the client (16*256+54), which is inside your set range. That information is sabotaged by the firewall and exchanged with other information (port remapping). Easily done because the traffic isn't encrypted, everything and anything can be read and modified by each and every station/node the traffic flows through. That includes passwords.
FTPS traffic is encrypted and looks like just binary gibberish to the firewall. Unrecognized traffic cannot be sabotaged.

Analogy:

Plain FTP = postcard
FTPS = letter written in unbroken Enigma code

As postman, which of the two you can read/modify easily?
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

baystrow
500 Command not understood
Posts: 3
Joined: 2018-05-29 17:05

Re: Passive port range not used in Plain-FTP

#5 Post by baystrow » 2018-05-29 22:03

Thanks you for pointing me into the right direction and for your explanations.

As you said the firewall was the culprit, FTP session helper messed up the whole thing :(

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Passive port range not used in Plain-FTP

#6 Post by botg » 2018-05-29 22:09

Ah yes, "helpers".

Navishkars
500 Command not understood
Posts: 1
Joined: 2018-07-31 20:16
First name: Navishkar
Last name: Sadheo

Re: Passive port range not used in Plain-FTP

#7 Post by Navishkars » 2018-08-02 08:18

OMG! Thank you guys so so much. I have been breaking my head trying to figure this out as well. Was also an issue on my firewall. Something to do packet inspection or something like that. You guys pointed me in the right direction.

#appreciate

StandardTool
504 Command not implemented
Posts: 8
Joined: 2016-08-12 14:48
First name: Standard
Last name: Tool

Re: Passive port range not used in Plain-FTP

#8 Post by StandardTool » 2018-08-29 15:52

How did you eventually fix the issue?

Post Reply