FTP - PASV behind a NAT'ing firewall

phykell · 6 Apr 2007 at 10:38

I've got a web server that someone needs access to for their content management system. The web server is protected by a hardware firewall and so the first thing I did was to install FileZilla as the server. These are the security measures I applied:

1. Set FileZilla to utilise SSL/TLS to provide secure comms on a custom port
2. Enabled IP filtering on the hardware firewall
3. Required the user to supply a username and password to access the service
4. Enabled PASV mode on FileZilla

My user can connect but they can't see a directory listing (I have no problem accessing it from an external location and listing the directory) and I think it's because of their firewall settings preventing them from communicating in PASV mode.

They want me to provide an FTP service utilising active mode and leave the security at just the IP filtering (I know, they're missing the point about the SSL). Am I right in saying this isn't the solution, that I need to have the server in PASV mode anyway because my server is protected by a hardware firewall doing one to one NAT? Is it even possible to use active mode behind a Nat'ing firewall?

zetec452 · 6 Apr 2007 at 10:46

You need to set the passive ports range on your firewall.

I had exactly the same problem on my home FTP server. It connected to the ftp server but wouldn't show any directories. After opening a specified range of ports ie. 2500-2600 it started to work.

phykell · 6 Apr 2007 at 12:37

JonRohan said:
You need to set the passive ports range on your firewall.

I had exactly the same problem on my home FTP server. It connected to the ftp server but wouldn't show any directories. After opening a specified range of ports ie. 2500-2600 it started to work.

Yes, that's what I thought and I've had it working using PASV mode with no problem

So I'm right in saying the only way of accessing the FTP service on a server behind a NAT'ing firewall is to use PASV mode? It's just that I need to tell the user that they will *have* to open their own firewall ports (though I don't know why their firewall is preventing them from LAN to WAN access).

zetec452 · 6 Apr 2007 at 15:21

I'm sure you can use an FTP server behind a firewall without PASV. It will depend on the FTP software.

I would imagine if a user initiates the FTP connection they won't have to have the appropriate ports open as the firewall should realise that communication is ok. Again, depends on what firewall.

I've never had to open passive ftp ports for users accessing servers at work.

phykell · 6 Apr 2007 at 18:01

I got this from somewhere else:

Forwarding ports 21 *and* 20 will work in "active" mode, but you will need to take firewall / NAT on the outside client machine in to consideration. If there's a firewall blocking everything incoming >1023 on the client end, or the machine is behind NAT (without all ports >1023 being forwarded), then it is unlikely to work. The problem lies in the fact that the client doesn't initiate the data connection to the server, it simply tells the server what port is open on the client machine and the server then tries to initate the connection to the clients data port. Such behaviour is usually blocked by the firewall (it see's it as a new connection).

and this:

Passive FTP is used when a server is behind a NAT(Network address translation), Passive (PASV) is able to bypass the problems an NAT presents by bypassing the NAT sending a special (PASV) command to the FTP server, the client then attempts to use a dynamic high level port to transfer information. This poses a problem for firewalls, that are designed to stop communication on specific static ports.

and this is from the settings dialog on the FileZilla server interface:

Use custom PASV settings if you are operating the server from behind a NAT router or a firewall. In that case, the IP address of the server is not accessible from outside of the router, so you should fill in the correct address here. Use the port range to limit the number of ports that will need to be forwarded through the router.

I'm using a hardware firewall with one-to-one NAT so if I'm reading it correctly, surely the only way of establishing a data channel is for the client to use PASV mode? In fact, I've just experimented with it and I even had to provide the server's external NAT'ed IP address for the directory listing to work in PASV mode which tends to corroborate the last quote. However, I'm still not 100% sure that this is all necessary in active mode... :confused:

oddjob62 · 6 Apr 2007 at 18:49

Basically SSL confuses the NAT firewalls as they cannot read the PASV packet to find out what port the data channel will be coming in on.
You will need to open up the whole range of PASV ports so that they can get through to the server.

EDIT: oh and btw Active can work behind a NAT firewall as long as the client end firewall can understand FTP.

phykell · 6 Apr 2007 at 23:05

Thanks for that, I'll try an active connection without SSL then.

What do you think of the security implications though, that the user wants to access the service over an unencrypted channel? I will use IP filtering of course and they will need to log on with a username and password; they will have read/write access to the server though they should only have access to the directory FileZilla permits.

oddjob62 · 6 Apr 2007 at 23:22

How sensitive is the information? I would say it's no less secure than sending unencrypted emails with sensitive data. If you have IP filtering on the firewall then it will be very hard for an attacker to get to the FTP site directly, or even know it is there.

If you 100% want it encrypted then as i said, you'll need to try openning up the PASV ports on your firewall (i believe you can usually limit this to a smaller number of ports).

phykell · 8 Apr 2007 at 17:37

It's the user's web site that they're using a content management system on so I doubt their data is sensitive however, their username and password is going to be unencrypted and they're not the only user on the web server. Ah well, if IP filtering is going to be enough, that's fine I'll go with that

One other thing though, if I'm using FileZilla server and allowing the user to access it in active mode, I'll have to open a port below and above the FTP port won't I?

oddjob62 · 8 Apr 2007 at 18:49

phykell said:
One other thing though, if I'm using FileZilla server and allowing the user to access it in active mode, I'll have to open a port below and above the FTP port won't I?

Shouldn't have to. With an active connection, The client connects to the server on port 21, then the server connects back to the client on from port 20 to a high port on the client. As long as the client side firewall understands FTP and you're not blocking outgoing on your firewall it should work fine.

phykell · 8 Apr 2007 at 19:25

oddjob62 said:
Shouldn't have to. With an active connection, The client connects to the server on port 21, then the server connects back to the client on from port 20 to a high port on the client. As long as the client side firewall understands FTP and you're not blocking outgoing on your firewall it should work fine.

I'll have to enable the lower port on the firewall (Sonicwall) then to allow access from LAN->WAN. What does worry me now you've said that is about the high port it expects to open. The user has their own firewall and you can bet they won't have any given port open unless specified.

Incidentally, can you suggest anywhere to read up on this? I understood the PASV mode stuff no problem because everything's specified, custom ports, SSL and so on. The active connection seems very different; it's very prescriptive apparently.

Finally, if you liked this thread, I've got a really interesting one to post very soon. It's all about VLANs and layer 3 switches

oddjob62 · 8 Apr 2007 at 19:47

phykell said:
I'll have to enable the lower port on the firewall (Sonicwall) then to allow access from LAN->WAN. What does worry me now you've said that is about the high port it expects to open. The user has their own firewall and you can bet they won't have any given port open unless specified.

Incidentally, can you suggest anywhere to read up on this? I understood the PASV mode stuff no problem because everything's specified, custom ports, SSL and so on. The active connection seems very different; it's very prescriptive apparently.

Finally, if you liked this thread, I've got a really interesting one to post very soon. It's all about VLANs and layer 3 switches

I'm sure a google for FTP will throw up plently of stuff.

When the client establishes the FTP control channel, the client end firewall should watch the FTP comms and see on what port the client has agreed to be listening. It will then automatically open up this port to allow the data stream to establish. Hence why it's the client end firewall that needs to understand FTP.

A quick google... this looks quite good as an explanation of FTP http://slacksite.com/other/ftp.html

Tui · 8 Apr 2007 at 20:49

phykell said:
I understood the PASV mode stuff no problem because everything's specified, custom ports, SSL and so on. The active connection seems very different; it's very prescriptive apparently.

They're different in that the data transfer for active is done through a connection established by the server to the client and passive by the client to the server.
As oddjob62 posted, server and client firewalls that support FTP will watch the command connection and allow whichever ports are passed between the two. A firewall will also modify the PORT command or PASV response address if NAT is being used.
This assumes you use the default FTP command port of 21. You decided to use a custom port and SSL so no way will any firewall see the FTP commands. In this case, passive mode is generally used because, as far as the client end is concerned, it's easier to allow outgoing connections that allowing multiple incoming server connections which is what active mode requires.

It should have worked. At the server end you port map whatever FTP command port and port range for the data transfer is used, to your server IP address. You also configure the PASV response to be your WAN address, otherwise it will be your server private IP address.
All the client end has to do is allow the command port and transfer port range out. The client firewall will simply see the passive data connection as a new connection out.

phykell · 8 Apr 2007 at 22:30

OK, I've got it I think. That link was a very concise explanation as well

One thing from the link that does bother me is this:

"active FTP will not function when used in conjunction with a client-side NAT (Network Address Translation) device which is not smart enough to alter the IP address info in FTP packets"

I don't know what the user's firewall is and judging by their inability to get PASV mode working from their side, it doesn't look like they have a good understanding of its configuration either. If anything, by providing PASV mode, I'm catering for clients IMO and I just hope I can persuade the user of that fact.

zetec452 · 9 Apr 2007 at 09:29

If you want to setup a test account I don't mind trying it out.

I've got a fairly decent firewall ZyXel which will allow ftp but not the extra PASV ports.

Might be worth a shot.

phykell · 9 Apr 2007 at 22:18

Thanks for the offer, much appreciated

I'll try an active setup with the user first of all and see how it goes.