Rules for inbound FTP

Discuss and get help configuring CacheGuard Network Firewall
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas » 21 Feb 2018 11:23

Thanks, that admin access now deleted.
Awaiting advice on how we solve the passive ports issue, which briefly work whilst that rule was live.

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas » 21 Feb 2018 11:45

You may find this useful.
https://wiki.filezilla-project.org/Netw ... ive_mode_2

And this in particular:
"If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla Server to use a specific range of ports for passive mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla Server is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases. "

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david » 21 Feb 2018 14:21

Thank you sharing that FileZilla page with us. Active and passive FTP are quite complex protocols and when I forget the way that they work, I always consult the following explanation: http://slacksite.com/other/ftp.html. I hope that it could help our readers.

It's likely that your FTP server (FileZilla FTP Server?) implements the FTP protocol slightly differently compared to the FTP server that we use in your lab (Linux vsftpd v3.0.3). That may explains why our proposed firewall rules work in our lab but not in your environment.

In this case we can explicitly open passive FTP ports used by your FTP server (5000-5100?). What happens then if you implement the following rules:

Code: Select all

firewall external add FixPassiveFTP21 allow tcp any rweb any 21 nil 10.0.10.11
firewall external add FixPassiveFTP990 allow tcp any rweb any 990 nil 10.0.10.11
firewall external add DynPassiveFTP allow tcp any rweb any 5000:5100 nil 10.0.10.11
BR,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas » 21 Feb 2018 15:36

Success, thank you :D

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david » 21 Feb 2018 16:31

Hi,

You are very welcome! However I just tested your configuration in my lab using a FileZilla FTP Server v0.9.60 beta (instead of a vsftpd server) and the firewall rule based on the CG protocol called ftp_passive works very well. Can you please let me know what version of FileZilla FTP Server do you use?

BR,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas » 21 Feb 2018 17:47

Could that be because your example is within the RFC range, whilst mine and FileZilla's is above i.e. add a zero?
I've not had time to change mine to see if that is the reason, but it would be good for us all to know.

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david » 28 Feb 2018 09:49

I don't think so. Below an extract of the RFC 6056 (https://tools.ietf.org/html/rfc6056):
2.1. Traditional Ephemeral Port Range

The Internet Assigned Numbers Authority (IANA) assigns the unique parameters and values used in protocols developed by the Internet Engineering Task Force (IETF), including well-known ports [IANA]. IANA has reserved the following use of the 16-bit port range of TCP and UDP:

- The Well-Known Ports, 0 through 1023.
- The Registered Ports, 1024 through 49151
- The Dynamic and/or Private Ports, 49152 through 65535

The dynamic port range defined by IANA consists of the 49152-65535 range, and is meant for the selection of ephemeral ports.
The answer lies in the following question: should we consider FTP passive ports as dynamic or as registered? I have also observed that registered ports are sometimes used by clients under Linux. I can't explain that and I think that the discussion around this subject goes beyond the scope of this forum.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas » 28 Feb 2018 12:20

Thanks & agreed.

User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Rules for inbound FTP

Post by charles » 09 Mar 2018 15:05

Hi,

We are pleased to announce that we just released CacheGuard-OS version EH-1.3.6. This new release fixes the bug that prevented to use CG's IP addresses as the destination IP in firewall rules. Therefore, you can safely replace previously mentioned firewall rules by the following rules:

Code: Select all

firewall external add FixPassiveFTP21 allow tcp any rweb 192.168.155.1 21 nil 10.0.10.11
firewall external add FixPassiveFTP990 allow tcp any rweb 192.168.155.1 990 nil 10.0.10.11
firewall external add DynPassiveFTP allow tcp any rweb 192.168.155.1 5000:5100 nil 10.0.10.11
As you can see, any has been replaced by CG's external IP address (192.168.155.1).

Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com

Post Reply