3Com MSR 50 Series Configuration Manual page 1793

Figure 521 Schematic diagram of FTP detection
Port: 1333 Port: 1333
FTP FTP
Port instructions Port instructions
Client Client
Port: 1600 Port: 1600
The setup process of a FTP connection is as follows:
Assume that the FTP client initiates an FTP control channel connection through
port 1333 to port 21 of the FTP server; as a result of negotiation, the server
initiates a data channel connection through port 20 to port 1600 of the client, and
the connection is removed when data transmission times out or ends.
Here is how FTP detection is implemented through out the FTP connection process
from setup to removal:
1 The ASPF checks IP packets on the outbound interface, and identifies that they are
TCP-based FTP packets.
2 Based on the port number, the ASPF identifies the connection as a control
connection, and creates a TACL for return packets and a status table.
3 The ASPF checks the FTP control connection packet, analyzes the FTP instruction,
and updates the status table based on the instruction. If the packet contains a
data channel setup instruction, the ASPF creates a TACL for the data connection.
For a data connection, the ASPF does not perform status detection.
4 For return packets, the ASPF performs corresponding match checks based on the
protocol type, and determines whether to permit the packets to pass according to
the status table and TACL for the corresponding protocol.
5 The status table and TACL are deleted when the FTP connection is removed.
The detection process for a single-channel protocol (such as SMTP and HTTP) is
relatively simple: a TACL is created at the connection initiation and the TACL is
deleted when the connection is removed.
Basic idea of transport layer protocol detection
The transport layer protocol detection here refers to general TCP/UDP detection.
Different from application layer protocol detection, general TCP/UDP detection is
specific to the transport layer information in the packets, such as source and
destination addresses and port number. General TCP/UDP detection requires a full
match between the packets returned to the external interface of the ASPF and the
packets previously sent out from the external interface of ASPF, namely a perfect
match of the source and destination address and port number; otherwise, the
return packets will be blocked. Therefore, for multi-channel application layer
protocols like FTP and H.323, the deployment of TCP detection without
application layer detection will lead to failure of establishing a data connection.
FTP instructions and acknowledgments FTP instructions and acknowledgments
Control channel connection Control channel connection
Data channel connection Data channel connection
Firewall Overview
Port: 21 Port: 21
FTP FTP
Server Server
Port: 20 Port: 20
1793