LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-04-2015, 08:13 AM   #1
manasfirst
LQ Newbie
 
Registered: Jun 2015
Posts: 1

Rep: Reputation: Disabled
FTP Client/Server using old Data connection - is it right ?


Hi All,

If any one have any RFC reference related to following behavior of FTP client please do share.

We are starting an FTP session from a Linux m/c to BSD m/c via router. After some amount of data transfer, pressing CTRL + C and followed by bye to close the FTP connection. So FTP control session gets closed, but still I see ftp data connection remains open. So in router o/p is some thing like below;

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x0080, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 9
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 0


Again we are starting the FTP from the same client towards the same server. Please note I m downloading the same file.

mams-3/2/0 (ams1)
Service Set: tdf-service-set, Session: 268435458, ALG: none, Flags: 0x2000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:44158 -> 110.110.120.121:61434 Forward I 102
TCP 110.110.120.121:61434 -> 11.11.11.11:44158 Forward O 285

Service Set: tdf-service-set, Session: 201326596, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:35044 -> 110.110.120.121:21 Forward I 29
TCP 110.110.120.121:21 -> 11.11.11.11:35044 Forward O 20

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x0080, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 9
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 0

Now did a rule/policy change (you can consider putting a firewall filter to block ftp data port). We observed that client is trying to push data over the old data connection:-

mams-3/2/0 (ams1)
Service Set: tdf-service-set, Session: 268435458, ALG: none, Flags: 0x2000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:44158 -> 110.110.120.121:61434 Forward I 151
TCP 110.110.120.121:61434 -> 11.11.11.11:44158 Forward O 440

Service Set: tdf-service-set, Session: 201326596, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:35044 -> 110.110.120.121:21 Forward I 30
TCP 110.110.120.121:21 -> 11.11.11.11:35044 Forward O 21

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x0080, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 9
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 0
---(refreshed at 2015-06-04 04:18:59 PDT)---
mams-3/2/0 (ams1)
Service Set: tdf-service-set, Session: 268435458, ALG: none, Flags: 0x2000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:44158 -> 110.110.120.121:61434 Forward I 151
TCP 110.110.120.121:61434 -> 11.11.11.11:44158 Forward O 441

Service Set: tdf-service-set, Session: 201326596, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:35044 -> 110.110.120.121:21 Forward I 30
TCP 110.110.120.121:21 -> 11.11.11.11:35044 Forward O 21

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x00C0, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 10 <<<<<<<<<<<<<< It is increased from 9 to 10
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 1 <<<<<<<<<<<<<< It is increased from 0 to 1
---(refreshed at 2015-06-04 04:19:04 PDT)

NOTE:
FTP server (Version 6.00LS)
 
Old 06-04-2015, 07:14 PM   #2
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
If I am understanding you correctly, you have a client on one side of a hardware firewall connecting to a FTP server on the other side of the firewall? The confusion of this is that you are trying to observe the connection from the perspective of the firewall verses using the netstat on the FTP server itself. In such a case, the hardware firewall has no access to the TCP/IP stack on the FTP server and thus takes an educated guess on how to filter the connection. Such connections through the firewall typically have timeouts, especially on the more advanced firewalls. While this sounds counter intuitive, there is a valid but complicated reason for this. The shortest most simple answer I can give is that the firewall needs these timeouts to help keep track of outbound connections. Otherwise a hostile remote client could simply tell the firewall that the protected server was trying to make an outbound connection to the hostile client. These timers then try to give the firewall enough information to know that the hostile client is telling a lie. You would be better off checking from the FTP server itself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
client printer redirection to terminal server (client server connection is RS232) rohaanembedded Programming 1 12-10-2013 04:38 PM
[SOLVED] How to detect a closed tcp client connection when client is only receiving data programlight Programming 9 10-24-2011 10:19 AM
Connection from FTP client to PURE FTPd server fails at MLSD james8734 Linux - Networking 3 05-18-2010 05:21 PM
How do I setup multiple FTP servers with distinct data sets with 1 master FTP server? tekky Linux - Networking 1 08-28-2009 06:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration