FTP Firewall Rules 1

[Grenage]

Hi, basically we have a NAT firewall on an ADSL connection that goes into our hubs and across the network. I spent some time and am pretty confident that the ruleset is correct. We haven't been experiencing any problems except that we just cant download off FTP sites.

I thought that perhaps maybe it was NAT, so I disabled the firewall rules and the FTP worked, so I can rule that out. I have changed the rules many times regarding FTP but havent had much luck, I'm not the most knowledgable person when it comes to port/IP workings unfortunately.

Nothing that I've read refers to anything other than ports 20/21 for FTP, and I was wondering if anyone might have had this problem before or if not maybe post down the rule they use to allow FTP through ?

I have all my rules saying what can go through at the start, with a deny all in/out last of all.

Thanks for any help you might be able to give.

 

[StarTAC]

if u are doing direct NAT, either thru Linux or a router, u don't need to worry about FTP unless u are providing the service yo self...

however, if u want to access FTP sites, NAT will allow for masquerading of all outgoing connections... first thing to do is tell us what u're using for NAT.. Linux, Cisco or otherwise..

 

[Grenage]

Thanks for replying.

It's a Vigor router, It works fine unless I have my firewall rules enabled so I am pretty sure it's not the NAT thats a problem.

 

[bobbytupper]

does the firewall proxy the traffic - if so does the proxy require authentication?

If not you need to create a rule that says something like

Protocol Port Outbound From To
TCP 21 Enabled and allowed Trusted Any
(Lan IP Scope)

Note: Make sure that port 21 isn't on a blocked port list anywhere or listed as explicitly denied anywhere above this rule in priority.

 

[Grenage]

Hi

Just to make things clear, the FTP's we try to access are external ones (ftp.HP.com for example).

Just to check things I set rules such as:

Allow:
20 -> 21 OUT
21 -> 20 OUT
20 -> 21 IN
21 -> 20 IN

 

[bobbytupper]

and does the firewall proxy the traffic?

 

[Grenage]

I'm sorry I don't really know what you mean by Proxying it.

 

[TheOldMan346]

Grenage,

Sorry to hear you are still experiencing FTP problems.

Is this the same issue you posted about in June?
Can you post a bit of the exchange between the server and the client?
What FTP client software are you using?
Is it PORT/Active or PASV/Passive mode?

Remember

In Active mode:

client establishes connection ---> FTP server
server responds <--- on same connection
server transfers <--- to client on port specified by client

In PASV mode:

client establishes connection ---> FTP server
server responds <--- on same connection
client initiates transfer ---> from server on port specified by server

This link may be helpful.

http://www.dslreports.com/forum/remark,1381832;root=equip,16;mode=flat

Good luck.
The Old Man

 

[Grenage]

Hi, good memory and thanks for responding.

Using just IE to download, from web sites and such.

I have double checked the firewall rules and below is what it allows through for FTP.

Accept anything coming in that comes from ports 20/21 and is going to ports 20/21.
Accept anything going out that comes from ports 20/21 and is going to ports 20/21.
Accept anything coming in that comes from ports 20/21 and is going to ports >1023
Accept anything going out that comes from ports >1023 and is going to ports 20/21

I had a look at the firewall logs and got this when I attempted to download from an FTP again:

PR tcp len 20 48 -S 4277655467 0 16384 OUT
07:52:46.140 lan @0:11 b 192.168.100.166,1435 -> 192.6.234.9,42977

On viewing the above, do I want to setup something like:

Accept anything going out that comes from ports >1023 and is going to ports >1023

Being in the workplace I obviously want to keep security pretty tight, and is the reason I havent just opened it all up.

Thanks for responding and hope the above info is what you asked for.

 

[bobbytupper]

You have port 21 open inbound to all connects, that is a hole in your firewall. If you allow all traffic in and all trafic out on all ports from any source does it work ?

 

[Grenage]

Hi,

Yes if I allow all connections I am able to access ftp servers fine. What I put them backup everything but FTP works.

Do you have any idea what sort of standard rule might be used on a firewall to access FTP servers?

Thanks for replying.

 

[TheOldMan346]

Grenage,

I did a little further reading and did some &quot;sniffing&quot;. Here's what I found.

Ports 20 and 21 are the typical ports used for FTP but that is on the SERVER side. What actually happens at the client [what you would need to allow for in your firewall] does not really use ports 20 and 21.

Most browsers use PASV mode. IE6 allows you to choose the mode but it does not appear to be reliable. Best choice is to always assume it is PASV mode and, where possible, choose that setting in the browser anyway.

Remember that TCP communication is connection oriented so there is a source and destination port.

Here's what happens in a client/browser attempting to use PASV mode with an FTP server:

Client opens a random port > 1024 and attempts to connect with server port 21.
Server responds to same client port > 1024 with the random port number on which the server will be listening for data connection.
Client opens port > 1024 + 1 and attempts to connect with server on random port specified by server.

I have to sut this short right now but I verified this behavior with a sniffer. I will get back to this re firewall rules.

Hope that helps.
The Old Man

 

[TheOldMan346]

Grenage,

Try the following for your firewall:

Accept anything out from port > 1024 to remote port 21
Accept anything in from remote port 21 to port > 1024

The above set will permit the establishment of connection to an FTP server under either PORT or PASV mode.

Accept anything in from remote port 20 to port > 1024
Accept anything out from port > 1024 to remote port 20

The above set will permit file transfer in PORT mode.

Accept anything out from port > 1024 to remote port > 1024

The above will permit file transfer in PASV mode.

I may be way off since I am not all THAT familiar with firewalls, but it is worth a shot.

Also, I just found out that if you use the FTP Folder View in IE, it forces IE into PORT mode regardless of the setting to use PASV mode. See the link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309816

Good luck.
The Old Man

 

[Grenage]

Thanks very much that makes things clearer, I will try those rules out.

I was always a bit aprehensive regarding opening wide port ranges such as accept all >1023 to >1023 from a security point of view, standing back a bit though has to be the only way to get it to function.

Thanks alot for your help, very much appreciated.

 

[pansophic]

You can narrow that port range slightly if you are that concerned about it. Windows will only assign the ephemeral ports 1024-5000 for outgoing connections. There is no need to allow anything over 5000 on a web or ftp or telnet sessions. There are other protocols that require ephemeral ports >5000 to be opened, but as a general rule, if the protocol doesn't require it, your OS will not assign it.

pansophic

 

[Grenage]

Thankyou for that, it's working perfectly now - and I hav refined the port range like you suggested, pansophic.

This problem has been around for months and it can finally be laid to rest