Archived Forum Post

Index of archived forum posts

Question:

Force FTP Client to use Specific Ports in Passive Mode?

Mar 21 '13 at 15:46

We have checked the notes and website but are still not having any luck when the product is run behind a stateful firewall.

The issue we are having is that Yahoo(our FTP host) just forced us to use FTPS with TLS authentication. This of course is encrypting everything so we are calling the CCC. I am still getting reports that when the program is initiated behind a Cisco ASA firewall the negotiated ports are across the ENTIRE range (up to 64,000).

One of my customers has done testing and the ONLY way he can get our packets through it to open all internal ports of the computer (ip) that is generating the request. That is not a permanent solution for him of course.

We believe that we are running passive mode. Is there any way to have the initial connection set to port 21 (std ftp) and then have the negotiated ports forced into a range (3000-3010) or something? This way I can have a defined set of ports for the firewall rules to be set and pass.


Answer

See this Chilkat blog post relating to determining FTP connection settings.

Also, please note that in Passive mode, it is the FTP server that chooses the port for the data connection. If non-passive (also known as "active" mode) is instead used, then Chilkat provides two properties for controlling the port range: ActivePortRangeStart and ActivePortRangeEnd.

Passive vs. Active modes are explained below:

Active Mode: The FTP client chooses a port number and sends a "PORT" command to the FTP server. The FTP client then listens at the chosen port and the FTP server issues a connect request to establish the connection. The data connection is outgoing from the FTP server, and incoming to the FTP client.

Passive Mode:The FTP client sends a PASV command to the FTP server. The FTP server chooses a port number and sends it in the PASV response. The FTP server then listens at that port for the incoming connect request from the FTP client. The data connection is incoming to the FTP server, and outgoing from the FTP client.


Answer

Thank you for your quick response. We tried using active mode to specify the port range but were unsuccessful. Do you have a code example of an active connection that is established then the data ports set to a range? We are coding in VB6 currently.


Answer

Have had the same problem as setting the start and end does nothing.