Anyone know where or how to define the data ports that FTP and FTP/s use?
Under normal FTP 21 is the command port and 20 is the data port.
But when setting up a webMethods FTP or FTP/s listener port under IS 6.5 there is only a single port entry box, which is the command port. There is no entry box for the data port.
The issue is that unless we can restrict IS to use a specific data port, we can’t set up Firewall rules to allow connections in from the outside.
For normal FTP would would just say, allow xx.xx.xx.xx IP address to connect to server xyz on ports 20 and 21, then tell the client to use passive mode. And this works fine.
But unless I can tell IS to use a specific data port for each FTP and FTP/s connection, or at least find some way of finding out what IS is using, then we can’t configure the Firewall to allow the connections in.
I have seen the extended setting such as ‘watt.net.ftpPassivePort.max’, but these seem to be global settings rather than per listening port, plus is it safe to set both ‘watt.net.ftpPassivePort.max’ and ’ watt.net.ftpPassivePort.min’ to the same port number to restrict it to use only one port? (In the same way normal FTP works).
I’ve used a TCP/IP sniffer to see what actually happens, and IS seems to start using a port higher than the command port, but then keeps incrementing by one for each data connection (‘ls’, ‘get’, ‘put’ etc).
Ideally I’d like to be able to specify that the data ports always be one higher, or lower, than the command port for each listening port.
Just to add to this. Through testing I can see that when using active mode, IS always tries to use a data port one less than the command port.
i.e. If you configure a listening FTPS ports as 6300, the data port would be 6299.
But if you switch to passive mode, the data port changes to 41000+, incrementing by one.
In my experience with other FTP services, the data port should still be the same, even when using passive mode. All active and passive do is swap round who initiates the data connection, active causes the server to initiate it, whereas passive is initiated by the client. But the ports used should still be the same on the server side.
i.e. with normal FTP on ports 20/21, it doesn’t matter if it’s active or passive, port 20 is still used for data either way.
According to this, passive mode would not use port 20 on the server side for the data port. It would use a non-privileged port (P > 1024) to listen for the data connection from the client. IS will use the watt.net.ftpPassivePort.min and max range for the data ports to use.
It seems that IS is indeed behaving as “normal” FTP server.
Thanks for this, seems odd that you don’t just set up the data ports used under the FTP, FTP/s add port screen, and instead have a global Extended setting for the data ports.
