SUMMARY: Netscape ftp blocked by our firewall

From: Michel Pilon (pilonm@CCG.RNCan.gc.ca)
Date: Wed Jan 15 1997 - 09:48:04 CST


Sorry for the soooo long delay. Too much punch during Christmas... ;-)

Here is the orginal question:

> Our customers are unable to open a Netscape ftp connection on our
>wu-ftp anonymous site.
>
> I am using firewall-1 and in the log file, I can clearly see the first
>
>ftp connection (service 20) going through the firewall and reach our
>ftp
>server. But after this first connection, another one is requested for
>a port number > 1024 and this port number is never the same??? Of
>course,
>my firewall blocks it and then our customer is unable to ftp out site
>:-(.
>
> So I deduce that Netscape FTP does not use the service #20 for the
>duration of the connection (as other ftp softwares do) but use it to
>originate the first connection and then ask for another port to connect
>and
>transfer the data.
>
> I would like to know if somebody has the same behavior from Netscape
>ftp and how do you correct the situation? Do your customers able to
>connect
>to your ftp site using Netscape ftp without being blocked by your
>firewall?

And the answer is:

        There are two kind of ftp connections:
                        - Normal mode FTP connections
                        - Passive mode FTP connections
        
Normal mode FTP:

        a) Client opens command channel to server; tells server second
           port number
        b) Server acknowledges
        c) Server opens data channel to client's second port
        d) Client acknowledges
        
Used by unix ftp (like wu-ftp), WS-FTP, etc.
        
Passive mode FTP:

        a) Client opens command channel to server; requests passive mode
        b) Server allocates port for data channel; tells client port number
           (That's why it is always changing...)
        c) Client opens data channel to server's second port
        d) Server acknowledges
        
Used by Netscale, Explorer, Mosaic, etc.
                        
        Most browsers (including Netscape) use passive mode for ftp. That
explains why our customers were able to ftp using Unix ftp but not using
Netscape.

So the solution is to "Enable FTP PASV Connections" in the "Security
Policy" menu of the Firewall-1 software.

If you need more infos about the ftp behavior in normal and pasv mode, just
write me back.

A big thank to:

"Plesha, Thomas A. (NSLC Pacific)" <TPlesha@seacosd.navy.mil
Dan Pritts <danno@fv.com>
raju@hoho.ecologic.net
bleary@state.ma.us
petrilli@www.uol.com
mal@getech.leeds.ac.uk
Jochen Bern <bern@penthesilea.uni-trier.de>
cdonahue@mtb.phil.mop.com (Craig Donahue)
"Feeney, Tim" <Tim.Feeney@FMR.COM>
"Trevor Paquette" <tpaquett@aec.ca>
Mary Holstege <holstege@firstfloor.COM>
gaele@twinfo.nl (Gaele Strootman)
"Carl W. Kalbfleisch" <cwk@onramp.net>
Roberto Galoppini <rgaloppini@tim.it>
Pierre Pezziardi <Pierre.Pezziardi@sycomore.fr>

--
Michel Pilon                        E-mail: michel.pilon@CCG.RNCan.gc.ca
Administrateur de systemes Unix     Tel:    (819) 564-4819
Centre d'information topographique  Fax:    (819) 564-5698
2144 King Ouest, suite 010, Sherbrooke, Quebec, Canada, J1J 2E8
http://cyniska.ubishops.ca/pilonm



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:42 CDT