Opened 14 years ago

Last modified 13 years ago

#924 closed Bug report

Use Of Source Port 22 On Non-Secure FTP Data Connection

Reported by: alexoss Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc: alexoss, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

I'm using FileZilla Server 0.9.9. The first active mode
transfer I initiate behaves normally: the data connection
is made from the server to the client with the source
port of 20. While that first transfer is running, the next
transfer fails, as follows: The initial data connection
packet is sent from the server to the client with the
source port of 22 and a random destination port
(typically set with the PORT command). But the return
packet, which has a destination port of 22 because
that's what Filezilla chose, is blocked by our firewall
because we do not allow traffic on the SSH port
(according to IANA, at
http://www.iana.org/assignments/port-numbers). I
shouldn't have to open a port in our firewall (even for just
established-connection traffic) where a known service
might be running.

Here are Filezilla logs for this scenario; I'm using the
Windows command-line FTP client.

(000012) 7/29/2005 12:26:24 PM - (not logged in)
(70.20.144.155)> Connected, sending welcome
message...
(000012) 7/29/2005 12:26:24 PM - (not logged in)
(70.20.144.155)> 220-FileZilla Server version 0.9.9 beta
(000012) 7/29/2005 12:26:24 PM - (not logged in)
(70.20.144.155)> 220-written by Tim Kosse
(Tim.Kosse@…)
(000012) 7/29/2005 12:26:24 PM - (not logged in)
(70.20.144.155)> 220 Please visit
http://sourceforge.net/projects/filezilla/
(000012) 7/29/2005 12:26:27 PM - (not logged in)
(70.20.144.155)> USER theplatform
(000012) 7/29/2005 12:26:27 PM - (not logged in)
(70.20.144.155)> 331 Password required for theplatform
(000012) 7/29/2005 12:26:29 PM - (not logged in)
(70.20.144.155)> PASS
(000012) 7/29/2005 12:26:29 PM - theplatform
(70.20.144.155)> 230 Logged on
(000012) 7/29/2005 12:26:31 PM - theplatform
(70.20.144.155)> TYPE I
(000012) 7/29/2005 12:26:31 PM - theplatform
(70.20.144.155)> 200 Type set to I
(000012) 7/29/2005 12:26:41 PM - theplatform
(70.20.144.155)> PORT 70,20,144,155,19,137
(000012) 7/29/2005 12:26:41 PM - theplatform
(70.20.144.155)> 200 Port command successful
(000012) 7/29/2005 12:26:41 PM - theplatform
(70.20.144.155)> STOR 2005_0709Image0157.AVI
(000012) 7/29/2005 12:26:41 PM - theplatform
(70.20.144.155)> 150 Opening data channel for file
transfer.
(000013) 7/29/2005 12:28:22 PM - (not logged in)
(70.20.144.155)> Connected, sending welcome
message...
(000013) 7/29/2005 12:28:22 PM - (not logged in)
(70.20.144.155)> 220-FileZilla Server version 0.9.9 beta
(000013) 7/29/2005 12:28:22 PM - (not logged in)
(70.20.144.155)> 220-written by Tim Kosse
(Tim.Kosse@…)
(000013) 7/29/2005 12:28:22 PM - (not logged in)
(70.20.144.155)> 220 Please visit
http://sourceforge.net/projects/filezilla/
(000013) 7/29/2005 12:28:38 PM - (not logged in)
(70.20.144.155)> USER theplatform
(000013) 7/29/2005 12:28:38 PM - (not logged in)
(70.20.144.155)> 331 Password required for theplatform
(000013) 7/29/2005 12:28:48 PM - (not logged in)
(70.20.144.155)> PASS
(000013) 7/29/2005 12:28:48 PM - theplatform
(70.20.144.155)> 230 Logged on
(000013) 7/29/2005 12:28:58 PM - theplatform
(70.20.144.155)> PORT 70,20,144,155,19,138
(000013) 7/29/2005 12:28:58 PM - theplatform
(70.20.144.155)> 200 Port command successful
(000013) 7/29/2005 12:29:02 PM - theplatform
(70.20.144.155)> LIST
(000013) 7/29/2005 12:29:02 PM - theplatform
(70.20.144.155)> 150 Opening data channel for
directory list.
(000013) 7/29/2005 12:29:12 PM - theplatform
(70.20.144.155)> 425 Can't open data connection.

Here are the pertinent firewall log entries; list 101 is
inbound packets, and list 102 are outbound packets; all
permitted packets are non-established (i.e. connection-
initiating):

Fri Jul 29 12:26:25 2005 <190>858383: %SEC-6-
IPACCESSLOGP: list 101 permitted tcp 70.20.144.155
(3858) -> 198.181.237.7(21), 1 packet
Fri Jul 29 12:26:42 2005 <190>858387: %SEC-6-
IPACCESSLOGP: list 102 permitted tcp 198.181.237.7
(20) -> 70.20.144.155(5001), 1 packet
Fri Jul 29 12:28:19 2005 <190>858398: %SEC-6-
IPACCESSLOGP: list 101 permitted tcp 70.20.144.155
(3879) -> 198.181.237.7(21), 1 packet
Fri Jul 29 12:29:02 2005 <190>858403: %SEC-6-
IPACCESSLOGP: list 102 permitted tcp 198.181.237.7
(22) -> 70.20.144.155(5002), 1 packet
Fri Jul 29 12:29:07 2005 <190>858406: %SEC-6-
IPACCESSLOGP: list 101 denied tcp 70.20.144.155
(5002) -> 198.181.237.7(22), 1 packet

Change History (1)

comment:1 Changed 13 years ago by Tim Kosse

Please upgrade to the latest version of FileZilla Server. There
won't be
support for outdated versions.

See
http://sourceforge.net/project/showfiles.php?group_id=21558&package_id=21737
for download links.

Note: See TracTickets for help on using tickets.