Rules for inbound FTP

Discuss and get help to configure the firewall
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

Thanks, that admin access now deleted.
Awaiting advice on how we solve the passive ports issue, which briefly work whilst that rule was live.
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

You may find this useful.
https://wiki.filezilla-project.org/Netw ... ive_mode_2

And this in particular:
"If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla Server to use a specific range of ports for passive mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla Server is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases. "
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david »

Thank you sharing that FileZilla page with us. Active and passive FTP are quite complex protocols and when I forget the way that they work, I always consult the following explanation: http://slacksite.com/other/ftp.html. I hope that it could help our readers.

It's likely that your FTP server (FileZilla FTP Server?) implements the FTP protocol slightly differently compared to the FTP server that we use in your lab (Linux vsftpd v3.0.3). That may explains why our proposed firewall rules work in our lab but not in your environment.

In this case we can explicitly open passive FTP ports used by your FTP server (5000-5100?). What happens then if you implement the following rules:

Code: Select all

firewall external add FixPassiveFTP21 allow tcp any rweb any 21 nil 10.0.10.11
firewall external add FixPassiveFTP990 allow tcp any rweb any 990 nil 10.0.10.11
firewall external add DynPassiveFTP allow tcp any rweb any 5000:5100 nil 10.0.10.11
BR,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

Success, thank you :D
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david »

Hi,

You are very welcome! However I just tested your configuration in my lab using a FileZilla FTP Server v0.9.60 beta (instead of a vsftpd server) and the firewall rule based on the CG protocol called ftp_passive works very well. Can you please let me know what version of FileZilla FTP Server do you use?

BR,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

Could that be because your example is within the RFC range, whilst mine and FileZilla's is above i.e. add a zero?
I've not had time to change mine to see if that is the reason, but it would be good for us all to know.
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david »

I don't think so. Below an extract of the RFC 6056 (https://tools.ietf.org/html/rfc6056):
2.1. Traditional Ephemeral Port Range

The Internet Assigned Numbers Authority (IANA) assigns the unique parameters and values used in protocols developed by the Internet Engineering Task Force (IETF), including well-known ports [IANA]. IANA has reserved the following use of the 16-bit port range of TCP and UDP:

- The Well-Known Ports, 0 through 1023.
- The Registered Ports, 1024 through 49151
- The Dynamic and/or Private Ports, 49152 through 65535

The dynamic port range defined by IANA consists of the 49152-65535 range, and is meant for the selection of ephemeral ports.
The answer lies in the following question: should we consider FTP passive ports as dynamic or as registered? I have also observed that registered ports are sometimes used by clients under Linux. I can't explain that and I think that the discussion around this subject goes beyond the scope of this forum.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

Thanks & agreed.
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Rules for inbound FTP

Post by charles »

Hi,

We are pleased to announce that we just released CacheGuard-OS version EH-1.3.6. This new release fixes the bug that prevented to use CG's IP addresses as the destination IP in firewall rules. Therefore, you can safely replace previously mentioned firewall rules by the following rules:

Code: Select all

firewall external add FixPassiveFTP21 allow tcp any rweb 192.168.155.1 21 nil 10.0.10.11
firewall external add FixPassiveFTP990 allow tcp any rweb 192.168.155.1 990 nil 10.0.10.11
firewall external add DynPassiveFTP allow tcp any rweb 192.168.155.1 5000:5100 nil 10.0.10.11
As you can see, any has been replaced by CG's external IP address (192.168.155.1).

Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
Post Reply