![]() In the default transfer mode of “Stream”, every file transfer gets its own data connection. That only allows the control connection, though. Sure, you can set up the rule “allow tcp 0.0.0.0:0 10.1.2.3:21”, because the default port for the control connection of FTP is 21. Firewall rules for FTPįor an FTP server, firewall rules are known to be a little trickier than for most other servers. As a result, firewall administrators are used to saying things like “to enable access to the web server, simply open port 80”, whereas what they truly mean is to add a rule that applies to incoming TCP connection requests whose source address and source port could be anything, but whose destination port is 80, and whose destination address is that of the web server.” This is usually written in some short hand, such as “allow tcp 0.0.0.0:0 10.1.2.3:80”, where “0.0.0.0” stands for “any address” and “:0” stands for “any port”. ![]() Typically, an external-facing firewall will allow all outbound connections, and have rules only for inbound connections. ![]() The rule can refer to any data that would identify the socket to be created, such as “allow any connection request where the source IP address is 10.1.1.something, and the destination port is 54321”. When you set up a firewall to allow access to a server, you have to consider the first segment – the “SYN”, or connection request from the TCP client to the TCP server. Once a connection request is allowed, the entire flow of traffic associated with that connection request is allowed, also – any traffic flow not associated with a previously allowed connection request is discarded. The socket is identified by five individual items – the local IP address, the local port, the remote IP address, the remote port, and the protocol (in this case, the protocol is TCP).įirewalls are essentially a special kind of router, with rules not only for how to forward data, but also rules on connection requests to drop or allow. Enough TCP to be dangerousįirst, a quick refresher on TCP – every TCP connection can be thought of as being associated with a “socket” at each device along the way – from one computer, through routers, to the other computer. Oh, that and the fact that I’ve contributed to a number of RFCs on the subject. I think my expertise in developing and supporting WFTPD and WFTPD Pro allow me to be reliable on this topic. This will be the first of a couple of articles on FTP, as I’ve been asked to post this information in an easy-to-read format in a public place where it can be referred to.
0 Comments
Leave a Reply. |