FTP
The FTP file transfer protocol is not particularly attractive from the firewall point of view, mainly because it was designed long before security became an important consideration. The more modern HTTP protocol does have some other problems, but it is much easier to handle for firewalls. Another complication is that there are two variants of the FTP protocol: active and passive FTP. The following is a somewhat simplified description of these alternatives:
Active FTP
A transfer starts with the opening of a command channel from the client (high port) to the server (port 21).
When data is to be transferred, the client opens another high port and sends a command over the command channel to convey the port number. The server opens a connection from port 20 to the new client port.
The problem from the firewall point of view is mainly that the server connection is from the wrong direction. The connection is from the outside, but it is really the client that controls the connection. Dynamic FTP management allows the firewall to create a shadow rule for the data channel connection.
Passive FTP
Like active FTP, a command channel is opened from the client (high port) to the server (port 21). When data is to be transferred, the client sends the command PASV, which asks the server to open a high port and send back the port number. Then the client can open a connection from a high port of its own to the high port on the server.
The problem from a firewall point of view is mainly that the connection for data transfer is made from one high port to another, and we do not know either of the port numbers beforehand.
Some FTP clients can only manage active FTP, while others can only manage passive FTP. Some try passive first, then go to active if this fails. Also, it is not certain that all FTP servers in the world can manage passive FTP. Dynamic FTP management allows the firewall to create a shadow rule for the data channel connection.
Outgoing FTP configuration
Regardless of whether NAT is used or not, and whether the server supports active or passive FTP, this will be the FTP configuration.
To manage the command channel and the computer connection, we set up the following service:
The ftp service is let through in the usual way in Rules. If we assume that everyone on the inside can run FTP against the entire Internet:
No firewall rule for the data channel connection is needed when dynamic FTP management is used.
Incoming FTP configuration
To allow FTP traffic from the outside to servers within the protected network, there are two alternatives: use firewall rules or use the FTP relay in Ingate Firewall.
Using Rules (no NAT)
The following service is used in the rules below:
To allow active and passive FTP from the entire Internet to the FTP server, the following configuration is needed in Rules:
There are no troubling holes in this set of rules.
Using Relays (NAT/no NAT)
To manage active and passive FTP in this way, set up a relay from the firewall to the computer on the inside that manages FTP:
| Relays | |||||
|---|---|---|---|---|---|
| Listen to ... | Relay to ... | Relay type | Allow access from | ||
| IP address | Port | DNS name or IP address | Port | Networks | |
| Outside (1.2.3.4) | 21 | 192.168.1.42 | 21 | FTP relay | Internet |
In this example, we assume that the FTP server on the inner network has the address 192.168.1.42. Please note that clients on the outside should connect to the IP address 1.2.3.4 (or a DNS name for the outside), not 192.168.1.42. To use a different IP address than the usual one for the outside of the firewall, we use an alias.