RFC 1579 (rfc1579) - Page 2 of 4
Firewall-Friendly FTP
Alternative Format: Original Text Document
RFC 1579 Firewall-Friendly FTP February 1994
the "server" area, i.e., port numbers below 1024. But that strategy
is risky; dangerous services such as X Windows live at higher-
numbered ports.
Outgoing calls, on the other hand, present fewer problems, either for
the firewall administrator or for the packet filter. Any TCP packet
with the ACK bit set cannot be the packet used to initiate a TCP
connection; filters can be configured to pass such packets in the
outbound direction only. We thus want to change the behavior of FTP
so that the data channel is implemented as a call from the client to
the server.
Fortunately, the necessary mechanisms already exist in the protocol.
If the client sends a PASV command, the server will do a passive TCP
open on some random port, and inform the client of the port number.
The client can then do an active open to establish the connection.
There are a few FTP servers in existence that do not honor the PASV
command. While this is unfortunate (and in violation of STD 3, RFC
1123 [2]), it does not pose a problem. Non-conforming
implementations will return a "500 Command not understood" message;
it is a simple matter to fall back to current behavior. While it may
not be possible to talk to such sites through a firewall, that would
have been the case had PASV not been adopted.
Recommendation
We recommend that vendors convert their FTP client programs
(including FTP proxy agents such as Gopher [3] daemons) to use PASV
instead of PORT. There is no reason not to use it even for non-
firewall transfers, and adopting it as standard behavior will make
the client more useful in a firewall environment.
STD 3, RFC 1123 notes that the format of the response to a PASV
command is not well-defined. We therefore recommend that FTP clients
and servers follow the recommendations of that RFC for solving this
problem.
Discussion
Given the behavior of most current FTP clients, the use of PASV does
not cause any additional messages to be sent. In all cases, a
transfer operation is preceded by an extra exchange between the
client and the server; it does not matter if that exchange involves a
PORT command or a PASV command.
There is some extra overhead with Gopher-style clients; since they
transfer exactly one file per control channel connection, they do not
Bellovin