ipfw query
Martin Hopkins
martin.hopkins at insignia.com
Wed Jun 20 08:43:14 BST 2001
>>>>> "Matthew" == Matthew Seaman <m.seaman at plasm.demon.co.uk> writes:
Matthew> On Tue, Jun 19, 2001 at 10:04:29PM +0100, Jose Marques wrote:
>> On Tue, 19 Jun 2001, Jose Marques wrote:
>>
>> > I've noticed that the timer gets reset back to 300 whenever there's
>> > traffic so I guess it won't cause problems unless the connection is
>> > dormant for over 300 seconds (a pain for ssh sessions).
>>
>> Please ignore this, I forgot that ftp uses two connections. I assume that
>> the control connection lies dormant during the transfer and gets caught by
>> the 300 second limit.
Matthew> Ah, but now you have penetrated to the thing that
Matthew> perplexes me. FTP traditionally has used two connections
Matthew> by default, but because the second connection is made
Matthew> from the remote server back to you, it's often considered
Matthew> too risky to allow in many firewalls, including the
Matthew> rulesets that were shown earlier in this thread.
Matthew> Hence the alternative of passive mode FTP, where control
Matthew> and data use the same channel. This is typically the
Matthew> default for Netscape accessing ftp:// URL's, and setting
Matthew> FTP_PASSIVE_MODE=YES in your environment will enable it
Matthew> for ftp(1) and fetch(1).
Matthew> It's during long lasting passive mode FTP sessions where
Matthew> I was seeing the problem. The data comes down just fine,
Matthew> but the immediately following exchange of packets to
Matthew> shutdown the connection gets filtered, and fetch just
Matthew> hangs.
I may be wrong, but I thought passive ftp still used two connections -
PASV asks the server to open a port for the data connection and tell
the client so that it can connect whereas with PORT the client opens a
port and sends the address to the server which then connects.
Martin
More information about the Ukfreebsd
mailing list