Question regarding listening port and passive ports

[Peter Kostouros <kp...@melbpc.org.au>]

Hi

I hope someone can point me in the right direction to understand some 
behaviour we have seen regarding ftpserver.

Our ftpserver is configured to listen on 1.2.3.4:9021, with passive 
ports 9020, 9021 and this may be the source of our problem.

Looking though the log file we found that one client was allocated port 
9020 upon a PASV request but for some reason did not transmit data and 
hence release it, so when a second client came in and requested a PASV 
port he got 9021from which he started transmitting data. We believe at 
that time a third client tried to establish a connection but was 
refused. After about a minute the first client terminated its session 
(connection was forcibly closed by the remote host type of exception was 
recorded) and released port 9020 (since it was used later in another 
client session).

So I guess my first question is that if all PASV ports are in use and 
the listening port happens to be a port specified in the passive ports 
range, what do you expect when another client tries to connect to ftpserver?

A follow up question: is it possible for a client to "lock" a port?

-- 

Regards

Peter

As always the organisation disavows knowledge of this email

Re: Question regarding listening port and passive ports

[Niklas Gustavsson <ni...@protocol7.com>]

Hi

I'll try to answer inline.

On Wed, Mar 19, 2008 at 8:50 AM, Peter Kostouros <kp...@melbpc.org.au> wrote:
> Hi
>
>  I hope someone can point me in the right direction to understand some
>  behaviour we have seen regarding ftpserver.
>
>  Our ftpserver is configured to listen on 1.2.3.4:9021, with passive
>  ports 9020, 9021 and this may be the source of our problem.
>
>  Looking though the log file we found that one client was allocated port
>  9020 upon a PASV request but for some reason did not transmit data and
>  hence release it, so when a second client came in and requested a PASV
>  port he got 9021from which he started transmitting data. We believe at
>  that time a third client tried to establish a connection but was
>  refused. After about a minute the first client terminated its session
>  (connection was forcibly closed by the remote host type of exception was
>  recorded) and released port 9020 (since it was used later in another
>  client session).
>
>  So I guess my first question is that if all PASV ports are in use and
>  the listening port happens to be a port specified in the passive ports
>  range, what do you expect when another client tries to connect to ftpserver?

Having the listener port on the same port as one of the passive ports
is not a good idea. What will happen is that FtpServer will try to
open a data connection on that port and fail every time (since it is
already in use). Therefore, it would never be used as the passive
port. So, that means in your case that you only have one working
passive port (9020). A client using this port for a data transfer will
effecticly lock out all other clients from doing data transfers. In
addition, the port will be unusable for other clients during the
TIME-WAIT period (typically a couple of minutes). So, I would advice
you to allow for significantly more passive ports.

>  A follow up question: is it possible for a client to "lock" a port?

Yes, it will block it for the time it takes to do a data transfer.

>  As always the organisation disavows knowledge of this email

Now that's a good disclaimer :-)

/niklas