Zip Component, Email Component, Encryption Component ActiveX Control for Zip Compression .NET Components for ASP.NET
ActiveX and .NET Components for Zip Compression, Encryption, Email, XML, S/MIME, HTML Email, Character Encoding, Digital Certificates, FTP, and more ASP Email ActiveX Component


Index of Chilkat Blog Posts

October 25, 2007

Port Range for Passive FTP?

Question:
Is there a way to know what outbound port range is being used for a Passive SSL FTP connection?

I saw that your DLL provides ActivePortRangeStart and ActivePortRangeEnd properties. Do these only work with active connections or can they be used to limit the outbound ports of a passive connection?

Our IS administrator prefers to limit the number of open outbound ports that exist in our company’s firewall.

Answer:

The ActivePortRangeStart and ActivePortRangeEnd properties can be used to control the port range chosen by the Chilkat FTP2 component for active mode transfers. It does not apply to passive mode transfers because in that case, the FTP server chooses the data port and responds to the PASV command with that information. (The client then connects to the remote host:port and the data transfers occur.)

If you have a deep inspection firewall, it will see the PASV reply and then dynamically open a hole for that port for a short time to allow the connection. If you don’t have a deep inspection firewall, and you know in advance the port range used by the FTP server in question, you can allow that port range. If you are intending to connect to any FTP server on the Internet, then you’ll need to allow the entire ephemeral port range (typically 1024 through 4999).

Note: If the FTP control channel is encrypted, a deep inspection firewall will not be able to parse the PASV reply to get the port number.


Privacy Statement. Copyright 2000-2011 Chilkat Software, Inc. All rights reserved.
Send feedback to support@chilkatsoft.com

Components for Microsoft Windows XP, 2000, 2003 Server, Vista, Windows 7, and Windows 95/98/NT4.