Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Problems with FTP and Firewalls

FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.

Client Protected by a Firewall Problem

Typically firewalls don’t allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.

Solution

Table 15.1 shows the general rules you’ll need to allow FTP clients through a firewall.

Table 15.1  Client Protected by Firewall: Required Rules for FTP

Method

Source Address

Source Port

Destination Address

Destination Port

Connection Type

Allow outgoing control connections to server

Control channel

FTP client/network

High1

FTP server2

21

New

FTP server2

21

FTP client/network

High

Established3

Allow the client to establish data channels to remote server

Active FTP

FTP server2

20

FTP client/network

High

New

FTP client/network

High

FTP server2

20

Established3

Passive FTP

FTP client/network

High

FTP server2

High

New

1 Greater than 1024.

2 In some cases, you may want to allow all Internet users to have access, not just a specific client, server, or network.

3 Many home-based firewall routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.


Server Protected by a Firewall Problem

Typically, firewalls don’t let any connections come in at all. When an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn’t appear to work at all for both active and passive FTP.

Solution

Table 15.2 outlines the general rules needed to allow FTP servers through a firewall.

Table 15.2  Server Protected by Firewall: Required Rules for FTP

Method

Source Address

Source Port

Destination Address

Destination Port

Connection Type

Allow incoming control connections to server

Control channel

FTP client/network1

High2

FTP server

21

New

FTP server

21

FTP client/network1

High

Established3

Allow server to establish data channel to remote client

Active FTP

FTP server

20

FTP client/network1

High

New

FTP client/network1

High

FTP server

20

Established3

Passive FTP

FTP client/network1

High

FTP server

High

New

1 In some cases, you may want to allow all Internet users to have access, not just a specific client, server, or network.

2 Greater than 1024.

3 Many home-based firewall routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.


  • + Share This
  • 🔖 Save To Your Account