FTP - PASV behind a NAT'ing firewall

phykell

phykell

phykell

Soldato
Joined
18 Oct 2002
Posts
4,410
I've got a web server that someone needs access to for their content management system. The web server is protected by a hardware firewall and so the first thing I did was to install FileZilla as the server. These are the security measures I applied:

1. Set FileZilla to utilise SSL/TLS to provide secure comms on a custom port
2. Enabled IP filtering on the hardware firewall
3. Required the user to supply a username and password to access the service
4. Enabled PASV mode on FileZilla

My user can connect but they can't see a directory listing (I have no problem accessing it from an external location and listing the directory) and I think it's because of their firewall settings preventing them from communicating in PASV mode.

They want me to provide an FTP service utilising active mode and leave the security at just the IP filtering (I know, they're missing the point about the SSL). Am I right in saying this isn't the solution, that I need to have the server in PASV mode anyway because my server is protected by a hardware firewall doing one to one NAT? Is it even possible to use active mode behind a Nat'ing firewall?
 
JonRohan said:
You need to set the passive ports range on your firewall.

I had exactly the same problem on my home FTP server. It connected to the ftp server but wouldn't show any directories. After opening a specified range of ports ie. 2500-2600 it started to work.
Click to expand...
Yes, that's what I thought and I've had it working using PASV mode with no problem :)

So I'm right in saying the only way of accessing the FTP service on a server behind a NAT'ing firewall is to use PASV mode? It's just that I need to tell the user that they will *have* to open their own firewall ports (though I don't know why their firewall is preventing them from LAN to WAN access).
 
I got this from somewhere else:

Forwarding ports 21 *and* 20 will work in "active" mode, but you will need to take firewall / NAT on the outside client machine in to consideration. If there's a firewall blocking everything incoming >1023 on the client end, or the machine is behind NAT (without all ports >1023 being forwarded), then it is unlikely to work. The problem lies in the fact that the client doesn't initiate the data connection to the server, it simply tells the server what port is open on the client machine and the server then tries to initate the connection to the clients data port. Such behaviour is usually blocked by the firewall (it see's it as a new connection).

and this:

Passive FTP is used when a server is behind a NAT(Network address translation), Passive (PASV) is able to bypass the problems an NAT presents by bypassing the NAT sending a special (PASV) command to the FTP server, the client then attempts to use a dynamic high level port to transfer information. This poses a problem for firewalls, that are designed to stop communication on specific static ports.

and this is from the settings dialog on the FileZilla server interface:

Use custom PASV settings if you are operating the server from behind a NAT router or a firewall. In that case, the IP address of the server is not accessible from outside of the router, so you should fill in the correct address here. Use the port range to limit the number of ports that will need to be forwarded through the router.

I'm using a hardware firewall with one-to-one NAT so if I'm reading it correctly, surely the only way of establishing a data channel is for the client to use PASV mode? In fact, I've just experimented with it and I even had to provide the server's external NAT'ed IP address for the directory listing to work in PASV mode which tends to corroborate the last quote. However, I'm still not 100% sure that this is all necessary in active mode... :confused:
 
Last edited:
Thanks for that, I'll try an active connection without SSL then.

What do you think of the security implications though, that the user wants to access the service over an unencrypted channel? I will use IP filtering of course and they will need to log on with a username and password; they will have read/write access to the server though they should only have access to the directory FileZilla permits.
 
It's the user's web site that they're using a content management system on so I doubt their data is sensitive however, their username and password is going to be unencrypted and they're not the only user on the web server. Ah well, if IP filtering is going to be enough, that's fine I'll go with that :)

One other thing though, if I'm using FileZilla server and allowing the user to access it in active mode, I'll have to open a port below and above the FTP port won't I?
 
Last edited:
oddjob62 said:
Shouldn't have to. With an active connection, The client connects to the server on port 21, then the server connects back to the client on from port 20 to a high port on the client. As long as the client side firewall understands FTP and you're not blocking outgoing on your firewall it should work fine.
Click to expand...
I'll have to enable the lower port on the firewall (Sonicwall) then to allow access from LAN->WAN. What does worry me now you've said that is about the high port it expects to open. The user has their own firewall and you can bet they won't have any given port open unless specified.

Incidentally, can you suggest anywhere to read up on this? I understood the PASV mode stuff no problem because everything's specified, custom ports, SSL and so on. The active connection seems very different; it's very prescriptive apparently.

Finally, if you liked this thread, I've got a really interesting one to post very soon. It's all about VLANs and layer 3 switches :)
 
OK, I've got it I think. That link was a very concise explanation as well :)

One thing from the link that does bother me is this:

"active FTP will not function when used in conjunction with a client-side NAT (Network Address Translation) device which is not smart enough to alter the IP address info in FTP packets"

I don't know what the user's firewall is and judging by their inability to get PASV mode working from their side, it doesn't look like they have a good understanding of its configuration either. If anything, by providing PASV mode, I'm catering for clients IMO and I just hope I can persuade the user of that fact.
 
You must log in or register to reply here.
Back
Top Bottom