FTP Non-Standard Ports

  • From: Logan Ramirez <LoganRamirez@xxxxxxxxxxxxxx>
  • To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 5 Feb 2002 10:35:01 -0600 

Does anyone know why it is so difficult to ftp to a non-standard port?
 
Maybe it's just me...
 
Back to back private DMZ setup, and FTP in both directions (from internal
network and external network into DMZ) work perfectly on standard port 21 in
both active and passive modes, however, when I try to FTP to another port, I
get either 500 INVALID PORT COMMAND or Operation Timed Out (depending on
PORT or PASV mode, respectively).
 
I am testing with IE 6.0 and also with command line ftp (windows XP) from
internal network.
 
I dropped a sniffer on all 3 devices, internal host, internal ISA, and DMZ
ftp server (IIS running on windows 2000 DC) and watched the packets float
across, and even in true passive mode, with an 'all ports allowed' packet
filter enabled and a 'all protocol allowed' filter, only standard port 21
worked.  
 
So strange though...same testing environment, from internal host into DMZ,
and when in passive mode I see the packets generated as such for port 21:
(numbers made up for convenience)
 
client 2872 -->  server 21
server 21 ---> client 2872 (with PORT command informing client of its
listening data port)
client 3154 --> server 5156 
server 5156 --> client 3154
 
for ftp to non-standard port, say 5153:

client 2872 -->  server 5153
server 5153 ---> client 2872 (with PORT command informing client of its
listening data port)
client 3154 --> server 5156 
No server response.  Operation timed out.  
 
The packet is never seen on the FTP server, but what the heck is so
different about a client making a second request to some random high port
when it's initial request was to standard FTP port 21 versus a client making
a request to some random high port when it's initial request was to
non-standard FTP port 5153?  

I tried SP1, firewall client software (may have done this incorrectly),
making the client a secureNAT client...
 
Sure could use some conversation to get more ideas flowing.
 
Hope this finds all well.
 
Logan

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 02-2002