Firewall rules for FTP+SSL Explicit

Firewall rules for FTP+SSL Explicit
Asked by Rouchie in FTP Servers, Network Software Firewalls
Tags: ftp, ssl, firewall, explicit
Hi

I would like to enable FTP+SSL Explicit on my server.  I have downloaded a trial version of Ability FTP Server, as this supports "file banning" functionality which I need.  My problem is that (I think) my firewall is preventing users being able to log in to this FTP server.  Connections are simply timing out, and Ability FTP Server shows no evidence of users being connected.
My firewall is hosted so I can't edit the rules directly, however, the hosts can do this for me.

Can somebody please tell me what I need my firewall to allow, to enable FTP+SSL Explicit to work correctly? 

Many thanks.

********************************************************************************
Which firewall do you have?

The problem is that FTP uses two connections, the command/control connections and the data connection.  The ports that are used for the data connection depend on if you are using active or passive data transfers, but the data ports for the data connection are not fixed.  SSL FTP typically uses passive FTP.

Which port that is to be used for the data connection is sent as data on the command/control session using the PORT (active FTP) or PASV (passive) command.  Normally a firewall will inspect each packet on the command/controll session looking for the PORT/PASV command so that is can see which port to use.  Then the firewall will dynamicall setup a rule that allows the traffic between the two hosts using the port.

The problem with SSL ftp is that command/control session is encrypted and so the firewall can't see the PORT/PASV command. 

There are two options.

1)  If your SSL FTP server and SSL FTP client supprots it, use the CCC command on the client side before you issue the PUT/GET/MPUT/MGET command.  This will cause the PORT/PASV command to be sent in clear text.

2) Define your SSL FTP server to use specific port(s) (you may want a few, no more than 10 though) for the data connection and then setup your firewall to allow traffic inbound to those ports.  If the client side is behind a firewall it will need to define rules to allow those ports outbound to your IP address.  If you are doing NAT  you should also use the EPSV option, extended passive.  Normal passive will pass the servers IP address and the port it is listening on on the PASV command.  The firewall will replace the IP address with the NATed one.   However, once again, since the connection is encrypted the firewall can't do this.  The EPSV option will only pass the port number and the client assumes that the IP address for the data connection is the same as the server for the command/control connection.
********************************************************************************
Thank you for the detailed responses.  You might have to excuse my lack of knowledge here while I try to digest your points.

>> Are you using NAT or is the server address public?
The server is public, well at least I presume so.  It's a fixed IP anyway that I can access directly from any client machine.  My ftp domain name is mapped to that IP also.

>> Define your SSL FTP server to use specific port(s)
I think for convenience (to the clients) this is going to be the most straightforward option.  The FTP server software has an option where I can set the PASV PORT RANGE.  The default values are 1024-5000, but these are greyed out at present because the range option is not active. 

Should I therefore reduce this number to 10 ports, as you suggest?

>> If the client side is behind a firewall it will need to define rules to allow those ports outbound to your IP address.
I've checked in certain client titles (FileZilla/FireFTP) and there is only one box to specify the FTP port.  Would clients be instructed to input a port range into that single box?  Is that even possible to do?
********************************************************************************
Just to point out that the IP address and port are sent in the PASV response. If the server is NATted behind a public IP address then you configure the server General settings with the Router (public) IP address and the ports used will have to mapped to the actual server address, otherwise you simply allow the ports used to the server public address.

The server will use it's next available port and pass this to the client as the port to connect to for the data transfer. If you're going to restrict the ports used then I'd suggest using something outside the default range of 1024 - 5000, since this is the source port range used by the server for outgoing connections. The number of ports should at least allow the maximum number of concurrent data connections you expect, so 10 may not be enough. I'd suggest 50 and adjust from there, for example, 5000 - 5049.

The FTP port specified on the client is the command port. The port range you specify is for data connections and would need to be allowed by the client firewall if there are restrictions on outgoing connections - most home router/firewalls do not have these restrictions but company/corporate firewalls probably will.

If you use the default FTP port and the range I've suggested above, then your firewall will need to allow ports TCP 21 and TCP 5000 to 5049.
********************************************************************************
NAT:  You really need to verify if there is a device that is doing NAT or not.  Just because you can get to it with a public IP address, does not mean that there is not a device doing NAT in front of it.  Is the IP address hard coded on the FTP server?

SSL Ports:  You can leave the port range as is, IMHO it is really overkill, but I tend to leave the defaults asis unless they do not fit my needs or cause security issues.

Client side firewall:  There is nothing you can change in the ftp client itself.  It must be done in the firewall.  What you would need to tell the people that will be using your FTP server is:

"You need to configure your firewall to allow outbound TCP connection to the destination IP address of X and destination ports of 1024-5000."

Where X is your public IP address.
********************************************************************************
Okay thanks again.  Just one more thing...

A while back I set up standard FTP using Ability FTP server and it worked fine.  The firewall on my server was set to use Port 21, which I gather from your replies is the command channel.  Please tell me, does standard (non secure) FTP still require the port range that FTPS uses (i.e. 5000-5049)?
********************************************************************************
Passive FTP uses all ports 1024 and above.  The difference is that the firewall can see what port the server told the client it will be listening on and so the firewall can dynamically create a permit rule to all it. 

As the firewall can't see the encrypted session you must predefine permit rules for the ports you are going to use.  If you do not limit it, that means that you have to allow ALL ports.