[4826] in WWW Security List Archive
Re: FW: tcp/ip ports to enable on NT, to allow ftp access fr
daemon@ATHENA.MIT.EDU (Ivan Massonnat)
Sat Mar 15 00:20:03 1997
Date: Fri, 14 Mar 1997 09:44:00 +0000
From: Ivan_Massonnat@paribas.com (Ivan Massonnat)
To: Fred Patton <fpatton@elecede.com>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Web browsers typically use a passive mode for FTP. This is actually
why you saw this connection to a port over 1024 : in passive mode, the
FTP server doesn't initiate the data connection, but the client does
(I guess this is why the server is *passive*). So a client port
(>1024) is used on the server-side.
Well, hope this helps,
Ivan
______________________________ Reply Separator _________________________________
Subject: FW: tcp/ip ports to enable on NT, to allow ftp access from b
Author: Fred Patton <fpatton@elecede.com> at internet
Date: 3/8/97 12:55 PM
-----Original Message-----
From: Fred Patton
Sent: Saturday, March 08, 1997 12:54 PM
To: 'Laurent O. F. Fough, Mgr. Web Development'
Subject: RE: tcp/ip ports to enable on NT, to allow ftp access from
browser
I've just encountered that difficulty as well. When connecting
through the browser, data port 20 hands to request to another port,
typically over 1024. There are some registry settings for IIS, and
FTP in particular. I have not found different configuration options
to avail in this matter. From what I have gleaned, the browser
implementation of the FTP protocol is rather shallow, and definitely
incomplete, particularly when it comes to security. In my case, I
re-thought my particular needs. I have two types of FTP clients: 1)
pure consumers of information (simple downloading), and 2) those which
have upload requirements, and thus, access to space on my server. For
group 1, there is no necessity to go through FTP with a browser, such
as ftp://username:password@myplace.com when password-protected
sections of the site can provide the exact same service. On the other
hand, I leave true FTP clients (non-browsers) the option of going
through FTP for the same information. With group 2, for uploading,
they are not using a browser to begin with, and since browser FTP is a
security issue, I wouldn't want to let them anyway. As you noted,
there is no difficulty for them, as they use a true FTP client. They
solved it for me. I am interested to know anything else others have
to say on the subject. I don't doubt the possibilities of alternative
solutions or workarounds, but the way I see it, I don't seem to
absolutely require them in my case. Best of luck.
Cheers.
F. Patton
-----Original Message-----
From: Laurent O. F. Fough, Mgr. Web Development
[SMTP:lfough@caribfx.com]
Sent: Friday, March 07, 1997 10:43 AM
To: WWW-Security
Subject: tcp/ip ports to enable on NT, to allow ftp access from
browser
I am currently enable tcp/ip port filtering on an NT box, running
4.0.
The problem when I enable only ports 20,21,80 & 81(the standard ftp
and
http ports), I can connect using HTTP(WWW), and FTP(using DOS & UNIX
clients).
Problem: I cannot connect to the machine's ftp port using a browser.
Can someone enlighten me as all the ports needed for correct &
efficient
access to a site that only provides mail, ftp and http service.
P.S.: I am using the Windows NT Security Handbook and it is not
proving
to be very useful, there is a listing of available ports, but no
specific info. on the needed or integral ones.
Thanks in advance.
Regards,
Laurent
