Dariush Debian Diary
Diariusz Dariusza
, 06, 2005
Firewall rule for FTP
A. Firewall rule summary
As long Application Layer Gateways (or proxys) are not used, a
packet filtering firewall should be able to pass secured FTP. The
following guidelines should help trying to configure one.
Control Connection
- Allow any port on the client to connect to port 21 on the
server
- Disable any rules that parse and/or impose any rules on the
commands and/or responses on the control stream. (Note - there
is one major firewall vendor who claim this is a security issue
and make it very hard for you to do this)
- Ensure the idle timeout of the control connection is longer
than it will take to transfer the largest file on the data
connection
Data Connection
Normal (active or PORT) FTP
- Allow port 20 on the server to connect to any port on the
client
Firewall-Friendly (passive or PASV) FTP
- Allow any port on the client to connect to any high port(*)
on the server.
(*) This may be able to be configured on the server to be a
range of ports and not 'any high port'.
Note: A firewall may allow both Normal and Firewall-Friendly FTP,
the choice is not exclusive.
NAT firewalls should be able to allow Firewall friendly FTP through,
as long as these rules can be followed.
Source: http://www.isaserver.org/articles/FTPTLS_Friendly_Firewalls.html
Last modified on
Copyright ©1995-2004 Dariush Pietrzak. All content on this website, unless otherwise noted, is licensed under a Creative Commons License.
Using desktop theme, version 0.5. Check the Blosxom site for the latest copy.
