FTP: Making a broken protocol work By Christo Butcher (christo@fox-it.com) On 11 October, 2002 Active versus Passive FTP RFC 1579, Firewall-Friendly FTP, February 1994, states the following: The FTP specification says that by default, all data transfers should be over a single connection. An active open is done by the server, from its port 20 to the same port on the client machine as was used for the control connection. The client does a passive open. Fortunately, the necessary mechanisms already exist in the protocol. If the client sends a PASV command, the server will do a passive TCP open on some random port, and inform the client of the port number. The client can then do an active open to establish the connection. If active mode is used, the following connections will be made: Client -> Server: (ctrl) control connection established Client -> Server: (ctrl) specifies the port the client is listening on Client <- Server: (data) connection established to specified port Under passive mode, this happens: Client -> Server: (ctrl) connection established Client -> Server: (ctrl) requests a passive mode connection Client <- Server: (ctrl) specifies the port the server is listening on Client -> Server: (data) connection established to specified port Security Considerations Assume a network with a firewall machine F and a network address translation machine N providing internet access. Assume also that communication between a client C on this network and an internet server S would proceed as follows: C <-> F <-> N <-> S Now assume that a ftp proxy process is running on both F and N. If all relevant machines run in active mode, the following connections will be established: C -> F : (ctrl) to port 21 F -> N : (ctrl) to port 21 N -> S: (ctrl) to port 21 N <- S: (data) to port specified by N F <- N : (data) to port specified by F C <- F : (data) to port specified by C This diagram clearly shows that the security policy of F must allow the following: C -> F: -> proxy user: to port 21 N <- F: <- proxy user: to port 21 N -> F: -> proxy user: to port specified by proxy user C <- F: <- proxy user: to port specified by C On N the following must be possible: F -> N: -> proxy user: to port 21 S <- N: <- proxy user: to port 21 S -> N: -> proxy user: to port specified by proxy user F <- N: <- proxy user: to port specified by F During a passive FTP session, another situation will arrise: C -> F : (ctrl) to port 21 F -> N : (ctrl) to port 21 N -> S: (ctrl) to port 21 N -> S: (data) to port specified by S F -> N : (data) to port specified by N C -> F : (data) to port specified by F A different security policy must be applied in this scenario. The proxy process on F must have the following permissions: C -> F: -> proxy user: to port 21 N <- F: <- proxy user: to port 21 N <- F: <- proxy user: to port specified by N C -> F: -> proxy user: to port specified by proxy user On N the security policy must allow: F -> N: -> proxy user: to port 21 S <- N: <- proxy user: to port 21 S <- N: <- proxy user: to port specified by S F -> N: -> proxy user: to port specified by proxy user Security Summary Security policy for F: C -> F: -> proxy user: to port 21 C <- F: <- proxy user: to port specified by C C -> F: -> proxy user: to port specified by proxy user N <- F: <- proxy user: to port 21 N -> F: -> proxy user: to port specified by proxy user N <- F: <- proxy user: to port specified by N Security policy for N: F -> N: -> proxy user: to port 21 F <- N: <- proxy user: to port specified by F F -> N: -> proxy user: to port specified by proxy user S <- N: <- proxy user: to port 21 S -> N: -> proxy user: to port specified by proxy user S <- N: <- proxy user: to port specified by S Implementation Notes When the proxies on F and N are running as transparent proxies, the firewall configurations must take this into account. The fact that all communication to and from the proxies will be performed as the proxy user, this can be used to narrow down the allowed connections. Thus unnecessary security risks may be avoided. Many FTP proxy implementations support specification of the port ranges to be used during data channel establishment. By making good use of this feature, the firewalls can be tightened up even more.