id summary reporter owner description type status priority component resolution keywords cc component_version os os_version 924 Use Of Source Port 22 On Non-Secure FTP Data Connection alexoss "I'm using FileZilla Server 0.9.9. The first active mode transfer I initiate behaves normally: the data connection is made from the server to the client with the source port of 20. While that first transfer is running, the next transfer fails, as follows: The initial data connection packet is sent from the server to the client with the source port of 22 and a random destination port (typically set with the PORT command). But the return packet, which has a destination port of 22 because that's what Filezilla chose, is blocked by our firewall because we do not allow traffic on the SSH port (according to IANA, at http://www.iana.org/assignments/port-numbers). I shouldn't have to open a port in our firewall (even for just established-connection traffic) where a known service might be running. Here are Filezilla logs for this scenario; I'm using the Windows command-line FTP client. (000012) 7/29/2005 12:26:24 PM - (not logged in) (70.20.144.155)> Connected, sending welcome message... (000012) 7/29/2005 12:26:24 PM - (not logged in) (70.20.144.155)> 220-FileZilla Server version 0.9.9 beta (000012) 7/29/2005 12:26:24 PM - (not logged in) (70.20.144.155)> 220-written by Tim Kosse (Tim.Kosse@gmx.de) (000012) 7/29/2005 12:26:24 PM - (not logged in) (70.20.144.155)> 220 Please visit http://sourceforge.net/projects/filezilla/ (000012) 7/29/2005 12:26:27 PM - (not logged in) (70.20.144.155)> USER theplatform (000012) 7/29/2005 12:26:27 PM - (not logged in) (70.20.144.155)> 331 Password required for theplatform (000012) 7/29/2005 12:26:29 PM - (not logged in) (70.20.144.155)> PASS ************ (000012) 7/29/2005 12:26:29 PM - theplatform (70.20.144.155)> 230 Logged on (000012) 7/29/2005 12:26:31 PM - theplatform (70.20.144.155)> TYPE I (000012) 7/29/2005 12:26:31 PM - theplatform (70.20.144.155)> 200 Type set to I (000012) 7/29/2005 12:26:41 PM - theplatform (70.20.144.155)> PORT 70,20,144,155,19,137 (000012) 7/29/2005 12:26:41 PM - theplatform (70.20.144.155)> 200 Port command successful (000012) 7/29/2005 12:26:41 PM - theplatform (70.20.144.155)> STOR 2005_0709Image0157.AVI (000012) 7/29/2005 12:26:41 PM - theplatform (70.20.144.155)> 150 Opening data channel for file transfer. (000013) 7/29/2005 12:28:22 PM - (not logged in) (70.20.144.155)> Connected, sending welcome message... (000013) 7/29/2005 12:28:22 PM - (not logged in) (70.20.144.155)> 220-FileZilla Server version 0.9.9 beta (000013) 7/29/2005 12:28:22 PM - (not logged in) (70.20.144.155)> 220-written by Tim Kosse (Tim.Kosse@gmx.de) (000013) 7/29/2005 12:28:22 PM - (not logged in) (70.20.144.155)> 220 Please visit http://sourceforge.net/projects/filezilla/ (000013) 7/29/2005 12:28:38 PM - (not logged in) (70.20.144.155)> USER theplatform (000013) 7/29/2005 12:28:38 PM - (not logged in) (70.20.144.155)> 331 Password required for theplatform (000013) 7/29/2005 12:28:48 PM - (not logged in) (70.20.144.155)> PASS ************ (000013) 7/29/2005 12:28:48 PM - theplatform (70.20.144.155)> 230 Logged on (000013) 7/29/2005 12:28:58 PM - theplatform (70.20.144.155)> PORT 70,20,144,155,19,138 (000013) 7/29/2005 12:28:58 PM - theplatform (70.20.144.155)> 200 Port command successful (000013) 7/29/2005 12:29:02 PM - theplatform (70.20.144.155)> LIST (000013) 7/29/2005 12:29:02 PM - theplatform (70.20.144.155)> 150 Opening data channel for directory list. (000013) 7/29/2005 12:29:12 PM - theplatform (70.20.144.155)> 425 Can't open data connection. Here are the pertinent firewall log entries; list 101 is inbound packets, and list 102 are outbound packets; all permitted packets are non-established (i.e. connection- initiating): Fri Jul 29 12:26:25 2005 <190>858383: %SEC-6- IPACCESSLOGP: list 101 permitted tcp 70.20.144.155 (3858) -> 198.181.237.7(21), 1 packet Fri Jul 29 12:26:42 2005 <190>858387: %SEC-6- IPACCESSLOGP: list 102 permitted tcp 198.181.237.7 (20) -> 70.20.144.155(5001), 1 packet Fri Jul 29 12:28:19 2005 <190>858398: %SEC-6- IPACCESSLOGP: list 101 permitted tcp 70.20.144.155 (3879) -> 198.181.237.7(21), 1 packet Fri Jul 29 12:29:02 2005 <190>858403: %SEC-6- IPACCESSLOGP: list 102 permitted tcp 198.181.237.7 (22) -> 70.20.144.155(5002), 1 packet Fri Jul 29 12:29:07 2005 <190>858406: %SEC-6- IPACCESSLOGP: list 101 denied tcp 70.20.144.155 (5002) -> 198.181.237.7(22), 1 packet " Bug report closed normal FileZilla Server alexoss Tim Kosse