0

I have some basic questions about FTP with firewalls and NAT, I hope someone could help me :)

I split them up in different scenarios:

Active FTP without NAT

Setup:

Server 1.2.3.4, Default ports; Client 1.2.3.5, ports: 3141 (cmd), 3142 (data)

Client:3141 connects to Server:20

Server:20 responses to Client:3141

Server:21 connects to Client:3142

How is this usually solved in practice? I can think of following possibilities:

  • Client firewall remember that there was a FTP command connection and therefore opens port 3142
  • Client firewall remember that there was a FTP command connection and therefore allows all connections from 1.2.3.4:21 to 1.2.3.5:3142
  • Client firewall allows all connections from x.x.x.x:21 to 1.2.3.5:3142

I assumed in all these solutions, that the client will always use two consecutive ports - is this true?

Active FTP with NAT

Setup:

Server 1.2.3.4 default ports; Client 192.168.0.2, ports 3141, 3142; Router, 1.2.3.5 and 192.168.0.1

Client:3141 connects to 1.2.3.4:20 via 192.168.0.1

Server:20 responses to 1.2.3.5:ARBITRARY - is delivered to 192.168.0.2:3141 since there is SNAT

Server:21 connects to 1.2.3.5:(ARBITRARY+1) - from where does the router knows to whom this packet belongs to?

Passive FTP with NAT

Server is behind Router - from where does the router know, that the packet receiving on an arbitrary port is for the FTP Server? (and therefore, how does the router know not to drop this packet)

And why is Passive FTP using an arbitrary port on server site for the data connection? Why not port 21?

I hope you understand my questions and someone can help me :)

Thank you

user197336
  • 1
  • 1
  • 1
  • 1
    I think the answers will depend in part on the FTP server program used. In the case of ncftpd you can limit "ephemeral" ports to a specific range, then forward that range from the router to the FTP server. – user16081-JoeT Nov 05 '13 at 18:17
  • 2
    `How is this usually solved in practice?` - what do you mean how is this solved? What is the problem? I do not understand your questions. Have you read the wikipedia article on ftp, and looked through the linked RFCs for additional details? – Zoredache Nov 05 '13 at 18:30
  • Questions on Server Fault are expected to be related to [`practical, answerable questions based on actual problems that you face`](http://serverfault.com/help/dont-ask) - this question does not articulate a specific problem you are trying to solve, and is therefore off-topic for Server Fault. Intellectual curiosity is a great thing, but a Q&A site makes a lousy classroom... – voretaq7 Nov 05 '13 at 18:37

1 Answers1

5

The absolute best possible advice I can give you about FTP and NAT in practice is Just don't do it.

Use a modern alternative like SFTP which adds security to the connection (sending your password in plaintext is generally considered a Bad Thing these days), and also doesn't do the deranged port-dance that FTP does. That way you don't have to worry about the arcana of how FTP works.

To answer your specific questions, you will need to read the FTP RFC.
You will probably also want to read Firewall-Friendly FTP, and The big list of security considerations if you're going to use FTP.

If you're asking out of intellectual curiosity these references should suffice.
If after reading the RFCs you still have specific implementation questions related to solving an actual, practical problem please ask new questions with specific detail.

voretaq7
  • 79,879
  • 17
  • 130
  • 214