FTP Client/Server using old Data connection

manasfirst · 06-04-2015, 07:13 AM

Hi All,

If any one have any RFC reference related to following behavior of FTP client please do share.

We are starting an FTP session from a Linux m/c to BSD m/c via router. After some amount of data transfer, pressing CTRL + C and followed by bye to close the FTP connection. So FTP control session gets closed, but still I see ftp data connection remains open. So in router o/p is some thing like below;

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x0080, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 9
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 0

Again we are starting the FTP from the same client towards the same server. Please note I m downloading the same file.

mams-3/2/0 (ams1)
Service Set: tdf-service-set, Session: 268435458, ALG: none, Flags: 0x2000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:44158 -> 110.110.120.121:61434 Forward I 102
TCP 110.110.120.121:61434 -> 11.11.11.11:44158 Forward O 285

Service Set: tdf-service-set, Session: 201326596, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:35044 -> 110.110.120.121:21 Forward I 29
TCP 110.110.120.121:21 -> 11.11.11.11:35044 Forward O 20

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x0080, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 9
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 0

Now did a rule/policy change (you can consider putting a firewall filter to block ftp data port). We observed that client is trying to push data over the old data connection:-

mams-3/2/0 (ams1)
Service Set: tdf-service-set, Session: 268435458, ALG: none, Flags: 0x2000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:44158 -> 110.110.120.121:61434 Forward I 151
TCP 110.110.120.121:61434 -> 11.11.11.11:44158 Forward O 440

Service Set: tdf-service-set, Session: 201326596, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:35044 -> 110.110.120.121:21 Forward I 30
TCP 110.110.120.121:21 -> 11.11.11.11:35044 Forward O 21

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x0080, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 9
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 0
---(refreshed at 2015-06-04 04:18:59 PDT)---
mams-3/2/0 (ams1)
Service Set: tdf-service-set, Session: 268435458, ALG: none, Flags: 0x2000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:44158 -> 110.110.120.121:61434 Forward I 151
TCP 110.110.120.121:61434 -> 11.11.11.11:44158 Forward O 441

Service Set: tdf-service-set, Session: 201326596, ALG: none, Flags: 0x0000, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:35044 -> 110.110.120.121:21 Forward I 30
TCP 110.110.120.121:21 -> 11.11.11.11:35044 Forward O 21

Service Set: tdf-service-set, Session: 167772161, ALG: none, Flags: 0x00C0, IP Action: no, Offload: no, Asymmetric: no
TCP 11.11.11.11:53686 -> 110.110.120.121:53936 Forward I 10 <<<<<<<<<<<<<< It is increased from 9 to 10
TCP 110.110.120.121:53936 -> 11.11.11.11:53686 Forward O 1 <<<<<<<<<<<<<< It is increased from 0 to 1
---(refreshed at 2015-06-04 04:19:04 PDT)—

NOTE:
FTP server (Version 6.00LS)

joec@home · 06-04-2015, 06:14 PM

If I am understanding you correctly, you have a client on one side of a hardware firewall connecting to a FTP server on the other side of the firewall? The confusion of this is that you are trying to observe the connection from the perspective of the firewall verses using the netstat on the FTP server itself. In such a case, the hardware firewall has no access to the TCP/IP stack on the FTP server and thus takes an educated guess on how to filter the connection. Such connections through the firewall typically have timeouts, especially on the more advanced firewalls. While this sounds counter intuitive, there is a valid but complicated reason for this. The shortest most simple answer I can give is that the firewall needs these timeouts to help keep track of outbound connections. Otherwise a hostile remote client could simply tell the firewall that the protected server was trying to make an outbound connection to the hostile client. These timers then try to give the firewall enough information to know that the hostile client is telling a lie. You would be better off checking from the FTP server itself.