After a client initiates an FTP session, the server establishes a new back connection to the client. This connection extends from the server (outside the firewall boundaries) to a dynamically allocated port number on the client computer. Because the port number is not known in advance, old packet filters open the entire range of high-numbered ports (greater than 1023) for incoming connections. This reconnection at a higher port is done with the following FTP command:
This reconnection at a higher port is done with the following FTP command:
port h1, h2, h3, h4, p1, p2
The values of h1 through h4 are octets of the client IP address. The last two values of p1, and p2 are used to determine the port. The following formula is for p1, and p2:
p1 X 256 + p2 = port
If the Firewall Network Address Translation (NAT) does not correctly change this IP address (h1 through h4), the server generates the error message.
The following sample command is an example of a port command:
port 10,20,30,40,5,25 = (IP Address: 10.20.30.40 / Port: 1305)