This page describes step by step, what to be aware of when setting up FTP where routers/firewalls are involved. If you are looking for a more theoretical explanation of the TCP activity in FTP, look here.
It starts at the server, and works it's way out to the client. It concentrates on the TCP/firewall relevant aspect only, and it references the Cerberus FTP server, but can be translated to other FTP servers as well.
Q: What configuration is needed in the FTP server program itself?
A: Two things: First, at passive port range must be selected - if possible.
This is possible for Cerberus
(Configuration/Server Manager/Advanced/PASV Port Range).
I recommend choosing a range of at least several hundred ports starting on
1025 or above, and also to choose a range not used by other programs.
To find that out, try "netstat -an" from a command prompt or use
TcpView from
Sysinternals.
Note that when running the FTP server, the port range will not show up in
these applications as in use.
The server will not allocate a port from the port range until it actually
needs one.
Second, you must let the FTP server know the external ip-address
(Configuration/Server Manager/Interface Options/PASV Options).
You probably use a router, giving you a privileged ip-address like
192.168.*.*, but the server needs to know what it looks like seen from the
client, so it must be aware of the ip-address used by the router.
However, some routers are capable of recognizing the PORT command, and will
automatically substitute the privileged ip-address with the real one, before
sending the command out to the client.
Cerberus has several ways of handling this issue, you will have to figure out
which one suits your setup best.
Q: If I use a personal firewall on the server box, like the built in XP
firewall, what do I need to configure?
A: You need to allow the FTP server to communicate on the internet and to
receive connections.
For port oriented firewalls, the server will be receiving connections on port
21 and the entire passive port range chosen.
It will also be making outbound connections from port 20, but directed at any
port number.
Q: Which ports do I need to open on the router?
A: The router will need to forward port 21, and the entire chosen port range.
This is why it is a good idea to choose a port range not used by any other
applications, or they will be visible from the Internet.
Opening up such a large range of ports could be seen as a security issue, but
if no other programs listen on the ports, it is only a problem, if a trojan
gets inside - and then you are in trouble anyway.
Opening up for a single wrong port (like 445) is far more dangerous than
opening up an entire port range of "unused" ports.
Also, a personal firewall on the server box can be configured to allow such
incomming connections only when the port is owned by the FTP server.
Q: Can't I use "port triggering" on the router to protect the port range a bit
better?
A: No. Port triggering will open up ports for a single client, when an
outbound connection to that client on a specific port is detected by
the router.
For FTP, the ports should be opened, when an inbound connection is
detected on port 21.
(If you have a router that can actually pull this off, let me know, and I will
rewrite this section.)
Some more advanced routers are even FTP aware, and will open up the
appropriate port based on what it can read from the communication between
the server and the client (for passive FTP, the server will send a port number
to the client).
Q: Is any configuration necessary on the client at all?
A: Yes. If a client cannot connect to a server, it is not necessarily the
server's problem.
The client must be able to make a connection to the server's port 21.
This should be easy enough, and it is probably already default for most users.
If you use your browser as your FTP client, it already has the necessary
access to the internet.
But then the client should also be able to accept connections on *any* port
(active FTP), so the router should forward all ports OR be able to MAKE
connections to any port on the server (passive FTP).
Q: I cannot configure my router to forward all ports, either it is outside my
control or I cannot figure it out.
Besides, it is a major security issue to do this, I will be completely
unprotected!
A: True. If you have a personal firewall on the client, you can configure it
to accept connections coming from port 20 only, and to only allow the FTP
client to accept those connections.
You can also figure out what the ephemeral port range is on your system, and
then just open up that range.
Q: Still, it is impossible for me to do, so I just cannot get active FTP to
work.
What do I do?
A: You rely on passive FTP.
You must use a client program that can be configured to use passive FTP.
The command line FTP program in windows cannot do this, but Internet Explorer
can.
In version 6, you can find it here:
Tools/Internet Options/Advanced/Browsing/Use Passive FTP.
When using passive FTP, the client is only required to be able to make a
connection to any port on the remote server - not just port 21.
However, this should be easy enough.
(This situation is what makes the router configuration difficult on the
server side, but hey, that is not our problem!)
Q: I am one of the lucky ones to have control over my router, and active FTP
might just work, if I use port triggering, right?
A: That is right.
You will have to figure out the system's ephemeral port range, and then have
the router forward these ports, whenever it sees an outbound connection to a
remote server's port 21.
HOWEVER, while downloading from the FTP server, you WILL be more vulnerable,
to that particular server, as the ports are triggered to be forwarded, so
having a personal firewall is still important.
Incoming connection request on interface 1.2.3.4 Connection request accepted from 5.6.7.8 USER anonymous 331 User anonymous, password please PASS *********** Anonymous user "anonymous" logged in with password "" 230 Password Ok, User logged in PORT 5,6,7,8,C,D 200 Port command received LIST Data connection established 150 Opening data connection The data connection was closed by the remote socket 226 Transfer complete QUIT The connection was closed by the remote socket. Connection terminated.
OK, let's loose the log in and out info, and focus on the data connection only:
PORT 5,6,7,8,C,D 200 Port command received LIST Data connection established 150 Opening data connection The data connection was closed by the remote socket 226 Transfer complete
For a similar passive FTP session, the log will show:
PASV 227 Entering Passive Mode (1,2,3,4,A,B) LIST Connection with data socket accepted 150 Opening data connection The data connection was closed by the remote socket 226 Transfer complete
Note the PORT command for active FTP, and the PASV command for passive FTP, and the other differences. Now, what will happen, if the data connection can not be established:
PORT 5,6,7,8,C,D 200 Port command received LIST A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 425 Unable to open the data connection QUIT The connection was closed by the remote socket. Connection terminated.
And for passive FTP:
PASV 227 Entering Passive Mode (192,168,1,100,32,8) Connection timed out. Shutting down connection... Connection terminated.
- and that is it. No "Connection with data socket accepted" or anything, just silence. You will actually only get the timeout if you wait long enough.
OK, great, now we know how to recognize a failing connection, both for active and passive FTP, how do we tell, which router/firewall caused the failure, the one on the server side, or the one on the client side? Unfortunately, we cannot tell them apart! There are two firewalls between the client and the server, and of course, the server has no way of telling which one prevented the connection from getting through, after all, it did not get through! However, if you look in the firewall logs on either side, you might be able to figure something out, but I am afraid that you are on your own here.
If you have other examples of failures in the Cerberus FTP server, and know their cause, feel free to mail them to me, maybe I will collect them all on this page and we can turn it into the "step by step diagnostics guide to Cerberus".
Last revised: 2006-05-22
·