Thread: Openbsd 4.9 ftp as a client
View Single Post
  #6   (View Single Post)  
Old 25th December 2011
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default
According to http://en.wikipedia.org/wiki/Registered_port
Quote:
A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1–65535) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for Assigned Names and Numbers (ICANN) before March 21 2001[1]) for use with a certain protocol or application.

Ports with numbers lower than those of the registered ports are called well known ports; ports with numbers greater than those of the registered ports are called dynamic and/or private ports.[2]

* Ports 0-1023 - well known ports
* Ports 1024-49151 - Registered port: vendors use for proprietary applications
* Ports >49151 - dynamic / private ports
You can find a list of the ports in /etc/services

It is easy to check if you start tcpdump before running a local ftp session with ftp localhost
Code:
$ sudo tcpdump -eni lo0
tcpdump: listening on lo0, link-type LOOP
127.0.0.1.1268 > 127.0.0.1.21: S
127.0.0.1.21 > 127.0.0.1.1268: S A
127.0.0.1.1268 > 127.0.0.1.21: A
Actually a lot of more info is shown, but I trimmed it away

Here the source port is >1023

Code:
$ netstat -an -f inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  127.0.0.1.21           127.0.0.1.1268         ESTABLISHED
tcp          0      0  127.0.0.1.1268         127.0.0.1.21           ESTABLISHED
tcp          0      0  *.21                   *.*                    LISTEN
The netstat output shows these ftp command channel ports.
It also shows that there is service LISTENing on port 21. This is the ftpd daemon. Setting up a daemon
to LISTEN to a port <1024 requires root privilege.

When I do a ftp 'ls', the ftp data channel is set up with

Code:
127.0.0.1.24290 > 127.0.0.1.50320: S
127.0.0.1.50320 > 127.0.0.1.24290: S A
127.0.0.1.24290 > 127.0.0.1.50320: A
So the source port >1023 and <= 49151, while the destination port is in the >49151 - 65535 range

Another ftp 'ls' creates a new data channel, with the same ranges used

Code:
127.0.0.1.4326 > 127.0.0.1.60464: S 
127.0.0.1.60464 > 127.0.0.1.4326: S A 
127.0.0.1.4326 > 127.0.0.1.60464: A
A ftp 'cd Desktop' this one

Code:
127.0.0.1.29882 > 127.0.0.1.52039: S 
127.0.0.1.52039 > 127.0.0.1.29882: S A 
127.0.0.1.29882 > 127.0.0.1.52039: A
When I use gmail netstat -an -f inet shows:
Code:
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  192.168.222.20.25960   192.168.222.10.22      ESTABLISHED
Because I use ntpd(8):
Code:
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  192.168.222.20.34895   85.12.29.43.123       
udp          0      0  192.168.222.20.17778   131.211.8.244.123     
udp          0      0  192.168.222.20.6308    87.195.109.207.123
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Last edited by J65nko; 25th December 2011 at 02:24 AM.
Reply With Quote