The FTP Security Server
The FTP Security Server is used to restrict people from uploading or downloading files as well as to virus scan all FTP file transfers. The FTP Security Server is enabled when the following situations are true.
There is a line that permits in.aftpd to start up in $FWDIR/conf/fwauthd.conf. This line is usually present by default.
A valid resource is defined in your security policy or in a User Authentication rule involving FTP.
The proper line for the FTP Security Server in $FWDIR/conf/fwauthd.conf looks like this (with no comment character, #, at the beginning of the line):
21 fwssd in.aftpd wait 0
If this line is not present or is commented out, the FTP Security Server will not run, and any process that relies on it will fail.
To filter FTP, you need to create a resource of type FTP and use it in the rulebase. Let's create a resource called ftp_downloads to allow FTP downloads through the HTTP Security Server. From SmartDashboard/Policy Editor, select Manage and then Resources. Next select New, and choose URI. You may also click on the icon in the objects tree, right-click on FTP, and select New FTP. Then create a new resource of type FTP, as shown in Figure 9.18.
Figure 9.18. FTP Resource Properties, General tab
The General tab is fairly self-explanatory, so let's move on and look at the Match tab, shown in Figure 9.19.
Figure 9.19. FTP Resource Properties, Match tab
Path refers to a specific location on the FTP server. For instance, you could allow some people to upload to a specific directory but deny that directory to others. An example of this is shown in the Sample Configurations section later in this chapter.
You can match two types of methods: GET and PUT. Aside from matching the GET command, allowing GET commands also allows RETR, RNFR, and XMD5 commands. Aside from matching the PUT command, allowing PUT commands also allows STOR, STOU, APPE, RNFR, RNTO, DELE, MKD, and RMD commands. Most other commands are passed to the FTP server for execution.1
The CVP tab is where you specify the CVP server to use, if any. This is similar to what was shown earlier in Figure 9.5 except that the CVP tab under FTP Resource Properties excludes the HTTP-specific options.
After setting these properties, you can add a rule with this resource to the rulebase, as shown in Figure 9.20.
Figure 9.20. Sample FTP rule with CVP
Frequently Asked Questions about the FTP Security Server
9.18 Why Won't the FTP Security Server Let Me Use Certain FTP Commands?
The following commands are enabled by default:
USER PASS ACCT REIN BYE QUIT BYTE SOCK PASV TYPE STRU MODE PORT RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE LIST NLST SITE MLFL MAIL MSND MSOM MSAM MRSQ MRCP CWD PWD RMD MKD HELP NOOP CDUP SYST XMKD XCWD XRMD XPWD XCUP XMD5 FIND MDTM SIZE MACB FW1C
The list of allowed commands is stored in the property ftp_allowed_cmds, which can be edited with dbedit or by manually editing $FWDIR/conf/objects_5_0.C on the management console. (See FAQ 4.2 for guidelines on how to edit objects_5_0.C.) You can also edit this property in SmartDefense, available in FireWall-1 NG FP2 with SmartDefense supplement or NG FP3 and later. Figure 9.21 shows how to do this.
Figure 9.21. SmartDefense Settings, Allowed FTP Commands frame
9.19 Why Do I Always Have Problems with Certain Sites When Using the FTP Security Server?
When the user issues a get, put, delete, mkdir, or rename, the FTP Security Server issues a PWD command in order to get the full path. The FTP server must respond to the PWD command with a 257 message, which, according to RFC 959, must contain the absolute path in quotes. If the PWD command is disabled on the remote server or the PWD does not respond in the correct manner, the FTP Security Server will deny the request. See the previous question for how to allow PWD replies without quotes.
9.20 Why Do I Have a Problem FTPing to Any Site with the FTP Security Server?
If name service caching is occurring, particularly if the name server is caching negative responses to DNS requests, the FTP Security Server will have a problem. This may occur on the DNS server itself or on the firewall (e.g., nscd). The problem with the specific site should resolve once the cached entry expires or you disable name service caching.