1. Home
  2. Networking Firewalls
  3. Strange port 20/21 problem with Netgear RT314 Router

Strange port 20/21 problem with Netgear RT314 Router

I'm trying to configure a relatively secure home FTP server that will only accept connections from my work PC.

On my home network, I'm running the FTP service on a Linux (Mandriva 2005) box. In my Netgear router, I forwarded port 21 to the Linux box and created a filter rule that drops any port 21 packets NOT originating from my work IP address.

Things appeared to work well in that I could connect to the FTP server from my work PC and not from any other external PC. However, when I ran GRC's ShieldsUP test and Sygate's Security Scan from my home network, both tests showed that while my port 21 was stealthed, my port 20 was NOT stealthed (it was closed).

Why the heck is my port 20 unstealthed when port 21 is the one and only port forwarded to the Linux PC? I realize that I can create a filter rule to block unwanted port 20 traffic as well, but how is it getting through in the first place if I'm not forwarding port 20 and port 21 is stealthed? It almost seems like the Netgear router is port-forwarding 20 and 21, even though I only specied port 21. This really has me scratching my head.

Any insight would be appreciated. Thanks.

Reply to
QV
Loading thread data ...

The router probably assumes you're running an ftp server when you tell it to forward port 21, so you'll be needing port 20 for the data connections.

formatting link

Use scp.

formatting link
Triffid

Reply to
Triffid

It seems dangerous for a router to "assume" anything, but the Netgear appears to be doing just that in the case of port 20. It makes me wonder what else it assumes.

Thanks for the OpenSSH link - it looks like I'll be exploring some alternatives to plain FTP.

Reply to
QV

If it really is assuming that port 20 needs to be open for inbound TCP connections, then it's dopey. 20 is the source port for _outbound_ FTP data connections on TCP. It's not the destination port.

Of course, if it's working as a straight IP packet filter, it has to allow for traffic in both directions to and from port 20.

Alun. ~~~~ [Please don't email posters, if a Usenet response is appropriate.]

Reply to
Alun Jones

default ports for FTP are 20+21. Commands on one and data on the other if you connect to a site (using the default port 21), as soon as you login, issue 'passive'. Port 20 will no longer be used and the firewall will only need to have port 21 open.

A better solultion than FTP is SSH, which also gives you Telnet support over a secured connection.

Reply to
Jeff B

before transferring in either direction, issue 'passive' the data port 20 will not be used and something above 1024 will be

Reply to
Jeff B

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.