better support through firewalls doing passive ftp and passive ftp over ssl through nat
|Reported by:||Jeffrey Robillard||Owned by:|
|Keywords:||ports pasv ssl passive firewall||Cc:|
|Component version:||Operating system type:||Windows|
|Operating system version:|
Currently most firewalls examine the response information sent from the ftp server back to the ftp client during a passive ftp session. The firewalls modify the response so that an internal ftp server responding with an internal address in a passive response is changed so that it contains the external address corresponding to the nat policy rules on the firewall. Basically [192,168,127,2,78,34] would be changed by the firewall to the external WAN ip for the NAT.
This works fine as long as your doing regular ftp.
However when you do ftp over ssl passive you have to tell the filezilla server which external ip to use in the passive settings of the server. You have the option of doing this already and there is a checkbox to use the internal address if a localhost is connecting.
This all works great unless your now trying to use that standard ftp passive connection through the firewall.. a firewall that is attempting to manipulate the data in the passive response. When the firewall sees that outbound reply traffic back to the ftp client and it contains the external wan address, instead of the internal ip address, it has no idea what to do and drops the traffic assuming its some sort of spoof. I have used several firewalls, watchguard, sonicwall, and they all perform the same way.
However, if there was a checkbox for "use local address for standard ftp passive connections" such that any connection over passive to port 21 would result in the reply response using the internal address instead of the wan address, well it would solve all of these issues with firewalls and how they work. This way, the only connection replys outbound back to the client would be either the internal address for port 21, which the firewall would modify, or the external wan address for anything else. Of course, not forgetting the current setting for using the internal address for local connections.