NetMAXFAQ : FTP / Mail / Time Services :
Why am I having a problem when FTPing through my NetMAX FireWall?
All Linux versions of NetMAX
IPChains is specific to NetMAX 2.x - 3.x.
NetMAX 4.0x uses IPTables
address-suppressed
Active FTP vs. Passive FTP, a Definitive Explanation
If you have read and understand that document, and want a better explanation of how that relates to the NetMAX firewall, please see below. Note that IPChains firewall rules only apply to NetMAX 3.x. NetMAX 4.x uses IPTables as an alternative. The idea is the same, but the implemenation is different. So depending on the version you are using, interpret this as you like.
This article is not meant to be an all inclusive explanation of the FTP protocol as covered in RFC 959, but rather, this is a general document explaining the typical use of FTP.
Active FTP
A normal (active) FTP session typically starts with an FTP client initiating the control connection from a high numbered port to TCP port 21 of the FTP server.
All commands and replies are sent over this control connection.
When a file is requested, the FTP server initiates a data connection from the adjacent port (its default data port, TCP port 20) to the FTP client on the data port.
By default, the data port of the FTP client is the same high numbered port that the control connection originated from.
This data connection is used for transfering files, which includes the ascii sending of directory listings.
So, before sending a request for a file transfer, the FTP client starts listening on this port for the data conenction.
------------ -------------
| | FTP Commands | |
| FTP | -------------> | FTP |
| CLIENT | FTP Replies | SERVER |
| | | |
| | Data | |
| | <------------- | |
| | Connection | |
------------ -------------
Upon file transfer completion the data connectin closes and a new one is created for every additional file transfer.
The FTP client can specify for the FTP server to connect to a data port other than the default port by issuing a PORT command. A lot of FTP clients now a days automatically issue a PORT command because they want to specify which port the data connection should go to.
Passive FTP
In passive mode FTP, the FTP client sends the PASV command, which tells the FTP server to listen for a data connection instead of initiating one. However, the PASV command also results in a request for the FTP server to specify a different default data port.
So if the PASV commands is used, it's possible for the data connection to be initiated from a different high numbered port on the ftp client to a different high numbered port on the FTP server.
------------ -------------
| | FTP Commands | |
| FTP | -------------> | FTP |
| CLIENT | FTP Replies | SERVER |
| | | |
| | Data | |
| | -------------> | |
| | Connection | |
------------ -------------
FTP Clients behind the firewall.
So, when using a packet filtering firewall (such as NetMAX FireWall), the following rules must be added to allow FTP clients behind the firewall to access FTP servers on the external network (Internet):
| Action | Type | From Address | Mask | Port | To Address | Mask | Port | Direction | SYN | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| accept | tcp | Network IP | 1025-65535 | any | 21 | output | Allow control traffic/connection out | |||
| accept | tcp | Network IP | 1025-65535 | any | 20 | output | Allow data traffic out | |||
| deny | tcp | any | 21 | Network IP | 1025-65535 | input | Y | Block incoming connections with control source port | ||
| accept | tcp | any | 21 | Network IP | 1025-65535 | input | Allow control traffic in | |||
| deny | tcp | any | Network IP | 6000-6009 | input | Protect Xwindows ports | ||||
| accept | tcp | any | 20 | Network IP | 1025-65535 | input | Allow data traffic in |
If using passive mode (which is more secure), you would need the following rules:
| Action | Type | From Address | Mask | Port | To Address | Mask | Port | Direction | SYN | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| accept | tcp | Network IP | 1025-65535 | any | 21 | output | Allow control traffic out | |||
| accept | tcp | Network IP | 1025-65535 | any | 1025-65535 | output | Allow data traffic/connection out | |||
| deny | tcp | any | Network IP | 1025-65535 | input | Y | Block incoming connections | |||
| accept | tcp | any | 1025-65535 | Network IP | 1025-65535 | input | Allow control/data traffic in |
We assume here that you have more than one FTP client behind your firewall. If you only have one, you can specify an IP address instead of using "Network IP" (for additional security).
Of course, when you're doing IP NAT (Network Address Translation) on your NetMAX FireWall, it's a completely different story. If your FTP client is behind the NAT, you need to use passive mode FTP, because you can't realistically setup a port forwarding rule to allow the FTP server to make the data connection in through the NAT to an unknown high numbered port.
And even if you're doing passive mode FTP, you'll have to keep your FTP transfers short, because the control connection is going to time out (because ip masquerading connections timeout after 15 minutes by default if there is no activity on them) before the data connection is finished transfering the file, which will effectively kill your transfer.
So, if you keep your FTP transfers under 15 minutes and use passive mode, you should be able to use the following rules to allow FTP through your NAT and packet filtered firewall.
| Action | Type | From Address | Mask | Port | To Address | Mask | Port | Direction | SYN | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| accept | tcp | Network IP | 1025-65535 | any | 21 | output | Allow control traffic out | |||
| accept | tcp | Network IP | 1025-65535 | any | 1025-65535 | output | Allow data traffic/connection out | |||
| deny | tcp | any | Network IP | 1025-65535 | input | Y | Block incoming connections | |||
| accept | tcp | any | 1025-65535 | Network IP | 1025-65535 | input | Allow control/data traffic in |
FTP Server behind the firewall.
If you have your FTP server behind a packet filtering firewall (such as NetMAX FireWall), you will need the following rules to allow ftp transfers through the firewall:
| Action | Type | From Address | Mask | Port | To Address | Mask | Port | Direction | SYN | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| accept | tcp | Network IP | 21 | any | 1025-65535 | output | Allow control traffic out | |||
| accept | tcp | Network IP | 20 | any | 1025-65535 | output | Allow data traffic out | |||
| accept | tcp | any | 1025-65535 | Network IP | 21 | input | Allow control traffic/connection in | |||
| deny | tcp | any | Network IP | 20 | input | Y | Block incoming connections to data port | |||
| accept | tcp | any | 1025-65535 | Network IP | 20 | input | Allow data traffic in |
To allow for passive mode FTP, you would also need the following rules (which are not recommended, because they open up your firewall for access to high numbered ports):
| Action | Type | From Address | Mask | Port | To Address | Mask | Port | Direction | SYN | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| accept | tcp | Network IP | 1025-65535 | any | 1025-65535 | output | Allow data traffic out | |||
| deny | tcp | any | Network IP | 6000-6009 | input | Protect Xwindows ports | ||||
| accept | tcp | any | 1025-65535 | Network IP | 1025-65535 | input | Allow data traffic/connection in |
We assume here that you have more than one FTP server behind your firewall. If you only have one, you can specify the IP address, instead of using "Network IP" (for additional security).
Of course, when you're doing IP NAT (Network Address Translation) on your NetMAX FireWall, it's a completely different story. If your FTP server is behind the NAT, you need to use normal (active) mode FTP, because you can't realistically setup a port forwarding rule to allow the FTP client to make the data connection in through the NAT to an unknown high numbered port. You also need to setup port forwarding (Traffic Rerouting on your NetMAX FireWall Suite) to forward TCP port 21 to your FTP server.
And even if you're doing normal mode FTP, you'll have to keep your FTP transfers short, because the control connection is going to time out (because ip masquerading connections timeout after 15 minutes by default if there is no activity on them) before the data connection is finished transfering the file, which will effectively kill your transfer.
Adjusting the TCP timeout for your NAT:
One way to help the situation when doing FTP through a NAT, is by optimizing the timeouts of your IP masquerading.
From the command line, you can type the following:
ipchains -M -S 7200 10 160
Where 7200 is the number of seconds (120 minutes) for the TCP timeout, 10 is the number of seconds for the TCP timeout (after receiving a FIN), and 160 is the number of seconds for the UDP timeout.
Also, you can enable hash marks in your FTP client, if it supports it.
ip_masq_ftp Kernel Module:
L2.2Pv3.x of the NetMAX FireWall comes with the ip_masq_ftp kernel module installed, which "fixes" the problems with having an FTP client behind an IP NAT. This module is a work around for the limitations of IP NAT and FTP.
- It checks incoming packets for replies to outgoing PASV commands. If it sees one, it sets up a new masquerade entry for the outgoing data connection rather than letting the normal ip_masq logic set up the entry when the first data packet is sent. It does this just so it can set a special pointer in the data connection entry pointing at the control connection entry. The ip_masq code uses this pointer to reset the timeout for the control connection when there is activity on the data connection. This prevents the control connection from being deleted during a long data transfer.
- It checks outgoing packets for PORT commands, which mean the masqueraded client is telling the external server to open a data connection. If it sees one, it sets up a new masquerade entry as if the connection were being opened from the masq side, and re-writes the PORT command packet to specify the masq box's IP address and the selected masq port number. That way the incoming data packet will look like a reply to a previous outgoing packet, and the ip_masq code will know what to do with it. And of course the new entry for the data connection is linked to the control connection so it will be kept alive.
Limitations of ip_masq_ftp:
- Your FTP client can't use the default data port, but must instead use the PORT command to specify a different data port when doing active mode FTP.
- Only works when connecting to FTP servers on the standard port 21.
- It is not orthogonal, so it only helps if the FTP client is behind the NAT, and not if the FTP server is behind the NAT.
Notes:
The firewall rules in this article are not the only ones that will work, but they are very restrictive rules that you can use that will still allow the proper traffic to pass through.If you want to connect to an FTP site by its domain name instead of by its IP address, you may also need to open up DNS ports. This article is not intended to cover DNS.
The ip_masq_ftp kernel module comes with the L2.2Pv2.2 product as well, but is not installed by default. To install it, you need to edit the /etc/rc.d/rc.sysinit file, and add the following lines above the other modprobe commands:
# Insert ip_masq_ftp so that passive mode for a ftp client is not needed. modprobe ip_masq_ftp
So your rc.sysinit file should now look like this:
<--SNIP-->
fi
fi
# Insert ip_masq_ftp so that passive mode for a ftp client is not needed.
modprobe ip_masq_ftp
# Probe for a IBMPC parallel port
modprobe parport_pc 2>/dev/null
modprobe lp 2>/dev/null
<--SNIP-->
Update: The 4.0 and 4.01 versions of NetMAX use the Linux 2.4 kernel and netfilter. The modules to enable this are slightly different, and are also not installed by default.
modprobe ip_conntrack_ftp modprobe ip_nat_ftp
The above two lines can be added to the /etc/rc.firewall.local script to run after each firewall commit and reboot.
NetMAX 4.02 enables these modules by default, if you have IP NAT enabled on an interface under Home|Network|Interfaces.
These modules add packet editors to your TCP stack. So that each TPC packet is scanned for PORT FTP commands so that they can be rewritten and tracked in the packets. It is recommended that you don't enable these modules unless you are doing NAT and active mode FTP is required. They will cause a slightly higher CPU load.
Sources:
ip_masq_ftp Release Notes, RFC 959
address-suppressed
How do I allow users to execute programs in their .forward file?