How to: Make a PASV FTP client Work behind a "block all" firewall

[sky-knight]

This question has come up many times on these forums. And the difficulties surrounding making this work stem from two things.

1.) UT doesn't have a firewall helper application built into its firewall
2.) FTP as a protocol is simply a pain and was never designed for NAT, Firewalling, or any security whatsoever.

So that said, we need it otherwise we can't get drivers from HP or download from a myriad other places. And, we're wanting to control our outbound connections dictating the default block all policy.

So how do we make this work? First we need to find the IP addresses of the FTP server we want to access.

Keeping HP as an example:
1.) Open a command prompt
2.) type in "nslookup ftp.hp.com" <enter>
3.) Write down the list of IP's

Nslookup returns 2 IP addresses for ftp.hp.com, 15.216.110.22, 15.192.45.21

Now that we have the IP addresses we need to allow FTP access to, we need to configure the firewall module. I have not been successful getting UT's firewall to allow more than one IP address in the destination field, nor have I been able to feed the destination port field multiple values. So, for each server we want to allow FTP to, we have to specify 2 rules. We have 2 IP's up there so we need a total of 4. Now, the rules will be the same, just with different destination IP addresses.

So the first rule is the one everyone gets the first time.
Enable Rule: Checked
Log: Checked or UnChecked (admin preference)
Traffic Type: TCP
Client Interface: Wherever the ftp client is connected to UT usually Internal
Server Interface: External
Source Address: Any
Destination Address: 15.216.110.22
Source Port: Any
Destination Port: 21
Category: FTP
Description: Pass FTP Control to HP #1

The second rule is the hangup for most people.
Enable Rule: Checked
Log: Checked or UnChecked (admin preference)
Traffic Type: TCP
Client Interface: Wherever the ftp client is connected to UT usually Internal
Server Interface: External
Source Address: Any
Destination Address: 15.216.110.22
Source Port: Any
Destination Port: 1024-65534
Category: FTP
Description: Pass FTP Data to HP #1

Now duplicate these rules and swap out the destination IP address with 15.192.45.21. Click Save and go download an HP printer driver. These rules may be duplicated for any number of FTP servers but you have to specify each and every FTP server individually.

"Block All" as a default policy is a very high maintenance decision. This is one of the many reasons why. This is also one of the reasons why UTM's like UT exist, to bring network security forward into something more sane to manage.

[dmorris]

nice write up!

a ftp helper in the firewall is a planned enhancement, which should help eliminate some (but not all) of the ftp pains...

[sky-knight]

For anyone that is interested in the "why" of things I will post a rundown of how the FTP protocol establishes connections and transfers files.

So the part everyone gets really quick is that FTP runs on port 21. What this means is the FTP client software initiates a connection from a random port greater than 1024 to the FTP server's port 21 using the TCP protocol. This connection is used to pass FTP commands to the server and does no data transmission, the data is transferred on a second connection. How that data is transmitted depends on the following.

First, there are two modes involved with FTP.

Active, and PASV

These modes are specified by the client when it initiates a data connection, using the port, and pasv commands respectively.

Now, Active mode FTP is an older method of access and is more secure for the FTP server. The FTP client will choose a random high port and pass that port number to the FTP server via the port command. This tells the server to initiate a connection to the client on that high numbered port. Now, this is also where the "port 20" comes into play. The server will upon receiving the port command fire a connection from port 20 to that random high port on the client using the TCP protocol. Incidentally, the port isn't actually "20" it's "n-1" so if the server runs on port 21 the port is 20, if the server runs on port 2121 the port is 2120, gotta love RFCs!

Now, there is a massive problem here. What happens if you have a NAT router in front of the client? The connection comes from the server hits the router and fails, Active FTP is not possible unless the client configures their FTP software to limit the port range and the entire range is forwarded to the IP of the client. Because of the prevalence of NAT in networks this isn't very practical.

So, later in FTP's life we came up with PASV mode FTP. This method is more secure for the client, because it doesn't require forwarding. But, it is less secure for the server, because the server needs a massive port range forwarded to it. However, because servers are generally administered by someone with a clue . And it is far easier in human terms to manage a range to one machine instead of all machines, this mode is basically the only way people do FTP anymore.

But how does it work? The FTP client software is configured to use PASV in it's connection configuration, this is usually the default. When the client wants to establish a data connection it sends the pasv command to the server. The server then responds with a random high port for the client to connect to. Then the client connects from a random high port to the random high port the server specified using the TCP protocol.

Now all is fine in NAT land, because the client did the connecting so our NAT tables are nice and happy and traffic is flowing. But can you spot the problem with this?

How in the world do you create a firewall rule that allows that data session when you have no clue what the source or destination port is? The simple answer is you cant! That is why in the previous post I had you control access to the FTP server by IP address. The only way to allow blanket access to all FTP servers is to allow all clients to connect to all servers on any port greater than 1024. Guess what? You just created a rule to "pass all" why did you "block all" again?

Now, there are other firewall products out there that have an FTP helper. This wonderful bit of software generally lives inside the firewall. Its sole purpose is to monitor all connections outgoing for FTP signatures. After all we can't just look at things going to port 21, there are crazy people out there like me that runs their FTP servers on ports OTHER than 21.

The Control connection of FTP is all clear text, user, password, commands, everything is unencrypted. So it is rather trivial once a connection is make to snoop it and keep an eye on things. So now this Helper application is aware of our connection and it starts looking for that all important PASV command and the even more important reply. Once it sees this information it dynamically creates a temporary firewall rule to allow traffic to go to said random port! Now all the user has to do is put in the single rule for FTP access on port 21 and the firewall does the other for you! Opening and closing the gate automatically!

Again, unfortunately UT doesn't have this feature, perhaps in the future it will. In the meantime if you want to use a default block policy you have to secure by IP.

[zay]

I might be out of my league here, but what if you put a computer in a DMZ, use if as a ftp server, and create a rule to allow all to pass to it. Or maybe allow to pass from a wide port range (and hope it is wide enough) Maybe add filezilla to the plugin and let it do ftp functions. As I said before, I may be at a total lost and might not even know what the heezy for sheezy I am talking about, so feel free to put me in my place.

[masex]

hey Zay
what if you connect via Openvpn client to your network and connect on the server with local ip?
isn't that more easy & Secure?

[zay]

Thanks Masex, but I was trying to respond to the about not being to able to configure the untangle firewall for FTP. I was making a suggestion hoping or wondering if it was possible to do such a thing. As I mentioned before, I might out of my league on this topic. But from my suggestion, is such a configuration possible or even a good solution to avoid the hit and miss of trying to configure the firewall ports for ftp?

[JordanLCN]

What Sky Night says is true.

However there are new FTP Servers out there that has the capability to assign a Port Range to what the server will tell client to use.

Perfect Example is zFTP. Ipswitch is a good candidate too. Filezilla Server I have not tried but I heard it can do it too (I might be wrong though).

The idea is when the FTP receives the PASV command from the Client. The FTP Server will then send out a Port Range that you defined. Then the client will then connect to the FTP Server using that Port range.

I'm Not sure how to do it on Untangle but the only thing you need to do now is to Open up ports on your Firewall using that port range. You can do this via Port Forward or a extensive packet Filter Rule. Yeah it opens you up a little but the port range need not to be from 1024 - 64xxxx, it can be just say 55430 - 55435 (only 5 open ports).

Now if your really adamant about Security I would then suggest using Encryption. The best one I found is SSH and SSH2. Others TLS, SSL are good but only encrypts the Data Part of the FTP. However the Control signals are still via the visible TCP packets (hence potential listeners can still see what port your going to use). But with SSH and SSH2 both "channels" are encrypted. Only problem is when you are using browsers to open up FTP sites. Not all browsers support SSH so you would now need your "users" to use an FTP Client that hosts SSH (SFTP) or SSH2 (SFTP).

NOTE: When using Encryption. Traffic altering does not work since routers cannot "listen" to the data transfer thus cannot implement traffic auto-routing.

If there are anything erroneous in my post please feel free to Correct it I am always open to better my knowledge.

[sky-knight]

Welcome to the forums and input. There was a recent post that showed how to manually edit the Metabase of IIS to control its pasv port range so now that server is back on the table. If I need FTP I usually end up running GuildFTPd on Windows systems. Yes it's an application and has to be manually started but the darn thing is so stupid easy to get running I can't peel myself away.

[Evil_Bert]

How in the world do you create a firewall rule that allows that data session when you have no clue what the source or destination port is? The simple answer is you cant! That is why in the previous post I had you control access to the FTP server by IP address. The only way to allow blanket access to all FTP servers is to allow all clients to connect to all servers on any port greater than 1024. Guess what? You just created a rule to "pass all" why did you "block all" again?

My own solution to the age-old FTP security problem was to create firewall rules permitting outbound connections to any server on ports 20-21 and any port 1024 or greater (i.e. the "pass all" approach) ... BUT only for one local IP address. So, what's different about that, you say? Well, that FTP-privileged local IP address is not used by any physical machine - it's reserved for a Virtual Machine built expressly for the purpose of using FTP. The VM is built with bridge connection (Host Networking in VirtualBox, if you must know) - so it gets a unique IP - which allows a specific set of firewall rules to be created for that IP ... in the VM, in UT and at the perimeter router/firewall (if present) and in any other devices in the path.

It's not a perfect solution, as it's conceivable that malware or a rogue user could manipulate their source IP address to take advantage of this fact, but that scenario is unlikely - it/he/she has to guess or test IP address ranges for outbound traffic, which is going to show up in logs all over the place, or operate an internal sniffer while you're using FTP - in either case, your network is already badly compromised.

By extension, multiple selected users on a local network could be given FTP access this way, but each would need a VM on their desktop with a unique FTP-privileged IP address (one per VM).

[idof]

I have Untangle 5.3 and I tried all the solution including opening all ports to the FTP server.
And still It is not working.

I cannot do anything besides logging in to the ftp prompt.

I would appropriation any assistance on this

10X
Ido