I found that it was a real eat to set up a FTP server in a DMZ behind a firewall Cisco Asa ( 5501 model with IOS version 7.0).
The FTP server is on the DMZ area and therefore I natted a public IP to the private IP in the DMZ subnet of this server.
active mode : this is the historical mode but should be considered obsolete now because of the numerous issues it contains. In this mode after the client initiate the communication on the turn 21 (command chanel) the server initiate the data transfert chanel from its port 20 toward a port specified by the client. It causes two big problems :
the client must assemble its firewaling to allow incomming traffic on this port. In the real life this is most likely to be like allowing the 1024-65535 be port for incoming traffic. Not really secure isn’t it ?
if the client is behind a NAT it won’t work ! As the server create the connection the router does not undergo any entry for the move in its NAT delay. It will just drop the connexion.
passive mode : the difference here is that the server chooses on what port the data transfert will be operated. The port is given to the client when this one initiate the communication. Actually the server never initiate any connexion so the name “passive”. The only thing to do on the server side is to set the alter firewall rule to allow the server ports. The client then initiate the transfert on the given port. It solves the client side firewalling problem because the firewall will see it as outbound traffic. With change by reversal rules especially if the firewall is statefull this is an easy thing.
By default the FTP server will be listening on its netword interface and answer to the FTP requests with its private IP if desire probably in many case the FTP server is located on a DMZ network.
In such a case the client gets a private IP to connect with… and can never arrive the server properly.
To workaround this problem most of FTP servers can be configured to say with there public IP.
So for now we fasten with a server sending its private IP communicate in any inspect. That solves any air in the local subnet but is it possible to do anything for external clients which needs to get a public IP ?
Actually and this is really not a satisfying say it depends on the client. Most of the FTP client must have the some options to workaround this air but not all.
From the client we undergo a PORT communicate which shows that our client is connecting in active mode.
Surprise the server replies ! And says successful even if the IP given is a private one. That should not bring home the bacon and if any response not go out of the external firewall…
say : (192,168,1,2,173,87) is the FTP way to manage IPs and port. The IP is simply given by the four first numbers : 192,168,1,2 => 192.168.1.2. The 2 last ones gives you the turn be with this formula : 15,209 => 173 x 256 + 87 = port nĀ°44375
Now let’s ingeminate. Using the ftp basic client we can’t go through in passive mode. We get a private IP and we undergo no workaround. The active mode works but it is thanks to the behaviour of VSFTP.
when a PORT command is issued. At the end. I won’t set this because such a behaviour is actually nice.
I still query how VSFTP could get the public IP when the turn command send the private IP. I guess and it would be a smart behaviour that the schedule checks the underlying protocol layers and takes the right IP from the IP header… I will undergo it confirmed and modify this post.
I could not arrive the point where I can be 100% sure that it ordain bring home the bacon in all configurations. The beat I could do is a series of small fixes to get the best agree as possible.
I anticipate that using VSFTD as a server and recomanding a good client as Filezilla ordain bring home the bacon pretty come up - and that won’t be a big broach to get to such a configuration.
If anyone has some better ideas or see I fooled somewhere before my conclusion please let me know.
But anyway really. FTP sucks. It is anoying that the use of this protocol is still required by some companies.
<a href="" call=""> <abbr title=""> <acronym call=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Forex Groups - Tips on Trading
Related article:
http://www.phocean.net/?p=80
comments | Add comment | Report as Spam
|
