Best practice firewall setting for user FTP traffic

Tweet

How you handle user FTP traffic? as you know there are two transfer modes, passive and active, for FTP traffic.

– Active mode : FTP Server will assign port numbers for FTP data transfer.

– Passive mode : FTP Client will fix ports numbers for FTP data transfer.
* Normally, the port number ranges are at least 10 ports.

 

Active FTP :
     command : client >random port —> server 21
     data    : client >random port <- server 20

Passive FTP :
     command : client >random port -> server 21
     data    : client >random port -> server >random

 

You can open certain range of ports for FTP data transfer, but security point of view, it is not always the best practice. Beside, the range will be bigger than you think if you are not limiting allowed FTP servers.

If you just allow port 20-21 to outbound(destination port), you would make FTP session, but no FTP data transfer. Showing error like below.

 

 

DOS, "425 No data connnection"

 

 

Filezilla, hang with "command: MLDS" and ended up "Error, directory list is aborted by user.."

 

 

 

or "Error: Failed to retrieve directory listing"

 

Check you firewall is supporting application layer signature detection capability. (Most of high-end firewall support for FTP, SIP, H.323 protocols and so on.

The firewall uses the dynamic port that the session uses for data transfer in creating an implicit temporary firewall rule for the session’s traffic. The firewall rule only allows the session’s traffic to go through in the direction that the firewall determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through.

I have zywall USG 100 and it has an option is called, ALG(Application Layer Gateway).

Configuration > Network > ALG > FTP, check box to enable

 

 

 

Good Luck~