1. Home
  2. Networking Firewalls
  3. ftp through firewall

ftp through firewall

Brian Phillips wrote in news: snipped-for-privacy@clara.net:

Well whether it be a router, FW appliance, host based FW or a PFW solution, one has to set rules to forward the FTP port(s) traffic, open them to public access on the FW, to the IP/machine that has the FTP server running so that someone can make contact with the FTP site. The one thing that IPcop (never used it) will ensure is that only FTP traffic will come down the ports and drop any other type of traffic.

The one thing you should be concerned about is the machine secure enough to be exposed to the public Internet. Is the O/S, file system, the FTP server software, user accounts, O/S security patches applied, etc, etc and the machine in general has been *harden* to attack.

That's where the problem is at and not that you have opened ports to the public on the FW as you have to do it for a client to contact the site.

Duane :)

Reply to
Duane Arnold
Loading thread data ...

I am using IPCop to feed a small network.

In its default state IPCop has all incoming ports closed and all outgoing ports open.

Following the advice that I see repeatedly in this newsgroup, I close all outgoing ports except those required for web access, e-mail, news and time, using IPTables. I also isolate one computer on the network completely from the internet. This all works very well

I now wish to use an ftp client (FileZilla), and I have opened outgoing port 21 for this purpose.

If I use the normal or active ftp mode, then, as I understand the matter, the ftp client will, after the command channel from a high-numbered local port and port 21 on the remote ftp server has been established, notify the remote ftp server of the port to use for transferring data. The data is then transferred by the remote ftp server from its port 20 to the port specified by the local ftp client. Unfortunately, as everyone knows, this link will not function because since it will be initiated by the remote ftp server it will be blocked by the firewall.

My first question is how do the professional security advisors overcome this problem? The only solution that I can think of is to forward incoming traffic from port 20 around the firewall - but this would presumably reduce security.

The next problem arises if I try to use the passive mode of ftp. In this mode, as far as I understand the matter, once the command channel has been established as for the active mode, the local ftp client sends a message (PASV) to the ftp server that it wishes to use the passive mode. The remote ftp server then notifies the ftp client of the port on which it will be listening so that the ftp client may initiate data transfer from that port.

The problem with this arrangement is that the local ftp client has to send a message to the port specified by the ftp server, but such a message will be blocked because all outgoing ports (except those for the web) are closed.

Again, I wonder how the professionals deal with this problem.

I ought to say that I have tried the IPCop mailing list but so far no one has had the time to reply. Hence, if any one on this news group could give me any guidance I would be very grateful.

Regards

Brian

Reply to
Brian Phillips

Setting up a firewall for FTP connections is a little awkward. I am not familiar with IPCop but this is how I have my Sygate setup.

Advanced rules

  1. Allow Filzilla outgoing TCP connection to remote port 21 from local ports 1025-3000.
  2. Allow Filzilla incoming TCP connection from remote port 20 to local ports 1025-3000. (note: rules 1 and 2 will accomodate active ftp. They are enabled all the time.)
  3. Allow Filezilla outgoing TCP connection to remote ports 1025-65535 from local ports 1025-3000. (Note: rule 3 will accomodate passive ftp--which I seldom use. Rule 3 is normally disabled. If I cannot make an FTP download, then I temporarily enable rule 3 for the download. After the download, I disable rule 3) You might find this helpful: Active FTP vs Passive FTP
    formatting link
Reply to
Casey

In message , Casey writes

Thanks Casey

I followed your first two rules to the letter and ftp transfers worked.

I had experimented earlier with a similar arrangement but using just ports 5050 and 5051 rather than 1025-3000. My arrangement did not work.

Since your arrangement does work, I then tried some experiments and my conclusion is that 25 ports is the minimum that will work on my system, and the 25 ports can apparently be almost anywhere. Thus I find that

1025-1050 works and so does 2025-2050.

I also find that 1025-1049 does not work.

What puzzles me is why it is necessary to have more than just one port, since the protocol seems to be met by just one.

Anyhow I now have a working system and, having spent many hours trying unsuccessfully in the past, I am very grateful to you.

Thanks also Duane. I think that I had not made it clear that I was concerned only with an ftp client and not with an ftp server.

Regards

Brian

Reply to
Brian Phillips

Just a question -

When your talking about the higher port numbers this is for the PASV mode? Do you have to have PASV mode active or allowed on the server or the client?

Basically I am asking - why do you use the PASV mode on the FTP transfers?

Thanx,

Demon

Reply to
Demon77

Your welcome Brian. You bring up an interesting question about the Local Ports numbers that need to remain Unblocked. Based on my Sygate traffic log, it appears that the Win98 Local Ports start at 1025 but I have never known how much higher the requirement goes. I knew I had the block set too wide. It probably depend on how much browsing you do between computer shutdowns. I'll look into that too and see how narrow I can make that block of port number. This will go along with my thinking about firewall setup--Block Everything You Do Not Use. Casey

Reply to
Casey

My FTP downloaders are set for Active FTP. That is why I said I seldom use my posted rule 3 which accomodates Passive FTP. Casey

Reply to
Casey

You may want to read the following:

"The difference between PASV FTP and Normal FTP"

formatting link
It may provide some insight into the issue you're encountering.

Reply to
Don Kelloway

Thanks Don, good info. This supplements the FTP descriptions at the "Active FTP vs Passive FTP" site mentioned above. Casey

Reply to
Casey

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.