On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them.
Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is.
So basically it is a choice, at one end you need a firewall/NAT that understands FTP and can do protocol inspection to manage the open ports..or you open 49152-65535 exclusively and even then you need to educate your clients to use the appropriate mode (and just to help things different clients default in different ways).
Essentially it is a broken protocol as it was designed at a time when NAT didn't exist and firewalls were not commonplace. I really really would look at browser based upload.