Client

Server

Command Data port port 2008 2010

Passive?

Passive OK Port 1490

Data

©2000, Cisco Systems,

Passive mode PFTP also uses two channels for communications. The command channel works the same as in a standard FTP connection, but the data channel setup works differently. When the client requests data from the server, it asks the server if it accepts PFTP connections. If the server accepts PFTP connections, it sends the client a high-order port number to use for the data channel. The client then initiates the data connection from its own high-order port to the port that the server sent.

Because the client initiates both the command and data connections, early firewalls could easily support this without exposing inside clients to attack.

For PFTP traffic, the PIX Firewall behaves in the following manner:

0 0

Post a comment