Firewall rule for FTP
A. Firewall rule summary
As long Application Layer Gateways (or proxys) are not used, a
packet filtering firewall should be able to pass secured FTP. The
following guidelines should help trying to configure one.
Control Connection
- Allow any port on the client to connect to port 21 on the
server
- Disable any rules that parse and/or impose any rules on the
commands and/or responses on the control stream. (Note - there
is one major firewall vendor who claim this is a security issue
and make it very hard for you to do this)
- Ensure the idle timeout of the control connection is longer
than it will take to transfer the largest file on the data
connection
Data Connection
Normal (active or PORT) FTP
- Allow port 20 on the server to connect to any port on the
client
Firewall-Friendly (passive or PASV) FTP
- Allow any port on the client to connect to any high port(*)
on the server.
(*) This may be able to be configured on the server to be a
range of ports and not 'any high port'.
Note: A firewall may allow both Normal and Firewall-Friendly FTP,
the choice is not exclusive.
NAT firewalls should be able to allow Firewall friendly FTP through,
as long as these rules can be followed.
Source: http://www.isaserver.org/articles/FTPTLS_Friendly_Firewalls.html
| Firewall rule for FTP | | 2005.01.06-09:43.00
