One of my buddies is saying that TCP will be a problem for this gateway because it is going to establish a new connection for every message it sends (not kafka but the underlying transportation protocol itself is the issue), requiring a new port each time. At the rate we'll be sending these clients messages (gigabytes), kafka will run out of ports to read from??
Your friend is badly confused. TCP is a stream-oriented protocol. It has no notion of messages. Of course, it does use packets at the IP layer, but to the application this is an implementation detail. TCP inserts packet boundaries where it makes sense to do so, and not necessarily once per write()
or send()
. Similarly, it combines successive packets together if you receive more than one between calls to read()
or recv()
.
Needless to say, this stream-oriented design would be completely unworkable if every send established a new connection. So, the only way to establish a new connection is to close and reopen the connection manually.
(In practice, most protocols built on top of TCP have something which resembles messages, such as HTTP requests and responses. But TCP does not know or care about the structures of such things.)
It is possible that your friend was thinking of UDP, which does have messages, but is also connectionless. Most socket implementations allow you to "connect" a UDP socket to a remote host, but this is just a convenient way to avoid having to repeatedly specify the IP address and port. It does not actually do anything at the networking level. Nevertheless, you can manually keep track of which peers you are talking to under UDP. But if you do that, then deciding what counts as a "connection" is your problem, not the OS's. If you want to re-establish a "connection" on every message, you could do that. It probably isn't a very good idea, however.
On the Fortigate GUI, go to Log & Report -> Forward Traffic. You might need to filter by Source or Destination (IP address). Likely, no firewall rule matches the packet and it was dropped (Policy 0, Implicit Deny, Result "Deny: policy violation").
Alternatively, use IPv4 Policy -> Policy lookup and specify source, destination, ports, protocol and check which policy applies.
If the packet in question does not show up in the log and the policies are good you can use Network -> Packet Capture for a packet-level analysis. If that doesn't show anything either, the far end isn't sending the packet and you need to check there.
Best Answer
FTP uses a control connection and for each transfer, a data connection in parallel - so the answer is: two. Both are TCP connections.
If you browse a directory first, each
mdir
requires an additional TCP connection - data connections are only used for a single transfer.The difference between active and passive mode is the direction of the data connection: with traditional "active" it's connected from the server to the client and with the more common "passive" it's from client to server.
Edit: As jonathanjo has noted, FTP's FXP mode can use two control connections to different servers to make the servers open the data connection between them and transfer the data without it passing through the client (for a total of three connections). FXP has several potential security issues and isn't very common.