Problems with FTP and Firewalls

FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.

Note Appendix II, "Codes, Scripts, and Configurations," contains examples of how to configure the VSFTPD Linux firewall to function with both active and passive FTP.

Client Protected by a Firewall Problem

Typically firewalls don't allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.

Solution

Table 15.1 shows the general rules you'll need to allow FTP clients through a firewall.

Table 15.1. Client Protected by Firewall: Required Rules for FTP

Method	Source Address	Source Port	Destination Address	Destination Port	Connection Type
Allow outgoing control connections to server
Control channel	FTP client/network	High[1]	FTP server[2]	21	New
	FTP server[2]	21	FTP client/network	High	Established[3]
Allow the client to establish data channels to remote server
Active FTP	FTP server[2]	20	FTP client/network	High	New
	FTP client/network	High	FTP server[2]	20	Established[3]
Passive FTP	FTP client/network	High	FTP server[2]	High	New
	FTP server[2]	High	FTP client/network	High	Established[3]

^[1] Greater than 1024.

^[2] In some cases, you may want to allow all Internet users to have access, not just a specific client, server, or network.

^[3] Many home-based firewall routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.

Server Protected by a Firewall Problem

Typically, firewalls don't let any connections come in at all. When an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn't appear to work at all for both active and passive FTP.

Solution

Table 15.2 outlines the general rules needed to allow FTP servers through a firewall.

Table 15.2. Server Protected by Firewall: Required Rules for FTP

Method	Source Address	Source Port	Destination Address	Destination Port	Connection Type
Allow incoming control connections to server
Control channel	FTP client/network[1]	High[2]	FTP server	21	New
	FTP server	21	FTP client/network[1]	High	Established[3]
Allow server to establish data channel to remote client
Active FTP	FTP server	20	FTP client/network[1]	High	New
	FTP client/network[1]	High	FTP server	20	Established[3]
Passive FTP	FTP client/network[1]	High	FTP server	High	New
	FTP server	High	FTP client/network[1]	High	Established[3]

^[1] In some cases, you may want to allow all Internet users to have access, not just a specific client, server, or network.

^[2] Greater than 1024.

^[3] Many home-based firewall routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.