# How to enforce ftp client open a specific port for data when deal with Active-mode ftp servers?



## supportsobaka (Apr 28, 2018)

To strength security of the firewall (we all know that ftp is a challenge for firewall security) I want enforce ftp-client establish only a specific port for data.

My box is an ftp client in terms of ftp communication. I don't need ftp server on my box (we live in era of cloud services!), but when I compile from ports some packages provide only 'oldy' ftp servers for fetch, no https. Assuming that these servers allow active mode I want my ftp-client establish only a specific port for data and allow only 20<->thisport communication on ipfw. Manpage says how to force fetch use active-mode (--no-passive option).  Well... already not bad, but do you know any hack (I agree on hack, e.g. source modification) to tell fetch open a specific port for data?

Another idea is symlink fetch to any other ftp-client that would support this. Do you know any other ftp-client that allows enforce a specific data port?


----------



## ShelLuser (Apr 28, 2018)

You can't really because it's not the client which will determine this but the server. Don't forget that the server probably also has a firewall to attend to which means that clients can't "just" pick a set of random ports to use because that would most likely fail due to the firewall.


----------



## supportsobaka (Apr 29, 2018)

ShelLuser
Sorry, but it is the client will determine this. Reсall spec for active ftp mode.  Firewall will not be the issue as soon as the server support active mode, because it means it will be ready to accept whatever client will offer.


----------



## ShelLuser (Apr 30, 2018)

http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html

(edit)

Also see this URL: https://winscp.net/eng/docs/ftp_modes


----------



## supportsobaka (Apr 30, 2018)

I don't configure the server. Neither I plan to work with passive servers. The first link is irrelevant. 
The second link just confirm that in active mode the client will offer the port and will inform the server about this port. What's wrong?
I know that ftp protocol is  the most misunderstood by many.  This link will help to understand it easy https://www.techrepublic.com/article/how-ftp-port-requests-challenge-firewall-security/

So it's just about a hack of ftp-client to tell it "please offer only the port X for the server, not random".


----------



## ShelLuser (Apr 30, 2018)

I think we're talking about the same thing yet also about different things here 

The port you speak of doesn't really exist, it's not the application which determines these ports, those decisions happen on another network level (I don't know from mind which one, look up the OSI model). See, every client works according to this principle.

If you visit this forum your browser contacts port 80 on the FreeBSD webserver. But the response data will be sent back with 80 as the source port and it'll be directed towards a random destination port in the higher ranges on your client. Yet that's not something the application normally has any control over but it's merely how the TCP protocol behaves.


----------



## SirDice (Apr 30, 2018)

supportsobaka said:


> Assuming that these servers allow active mode





> I don't configure the server.


I think you assume too much.


----------

