• February 28, 2025, 10:30:00 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 2 [3]

Author Topic: DNS-323 behind 3 routers how to FTP ?  (Read 22781 times)

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: DNS-323 behind 3 routers how to FTP ?
« Reply #30 on: April 07, 2011, 04:21:07 AM »
Quote from: OlegMZ on April 06, 2011, 07:07:35 PM

You did not get my point. I never stated that FTP server in ACTIVE mode would not work behind firewall.

Here's what you stated ...

Quote
Guys, do not forget, that normally FTP server, which is behind firewall MUST BE ABLE to work in passive mode

Does that not say in so many words - that an ftp server, behind a firewall MUST BE ABLE to work in passive mode?  Does it not imply that an ftp server, that does not support passive mode, will not work if it's behind a firewall?

Quote
This is the easiest setup. Yet it has one huge drawback. In case the SERVER is in active mode, the client MUST NOT be behind firewall or it must be behind firewall which does support application inspection and is able to create temporary rules for data traffic initiated from FTP server to the client.

In other words - if both FTP server and client are behind their own firewalls at least one of firewalls must be able to inspect FTP control traffic and dynamically open appropriate ports for it. If it is done on client side, then active FTP will work. If it is on the sever side, passive FTP will work. So it makes a good sense to configure application inspection on the server firewall and allow passive FTP mode to guarantee that any client, behind any type of firewall (dumb or intelligent) will be able to access the server.

The majority of consumer grade NAT firewall routers support, not a full application inspection, but what is termed "ftp fixup" (this is Cisco's name for it), they watch for an outgoing connection on port 21 and keep track of the destination ip, and will then allow an incoming connection on any of the high ports from that ip, forwarding it to the host from which the outgoing connection came.

This works very well - provided the standard ftp port is used - and it works with pretty much ALL of the router/firewalls out there.
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

OlegMZ

  • Level 2 Member
  • **
  • Posts: 50
Re: DNS-323 behind 3 routers how to FTP ?
« Reply #31 on: April 07, 2011, 06:53:21 AM »
Quote from: fordem on April 07, 2011, 04:21:07 AM
Does that not say in so many words - that an ftp server, behind a firewall MUST BE ABLE to work in passive mode?  Does it not imply that an ftp server, that does not support passive mode, will not work if it's behind a firewall?
No it doesn't. I said must BE ABLE, not MUST WORK or CAN ONLY WORK. And explained why and what might happen if FTP server would be ABLE to work in ACTIVE mode ONLY - inability for some clients to transfer data.
OK, let's put it in other words. FTP server behind firewall must be able to work in BOTH passive and active mode to ensure that all the clients, no matter where they are located, could communicate with it and the firewall must be able to support such a connectivity.

Quote
The majority of consumer grade NAT firewall routers support, not a full application inspection, but what is termed "ftp fixup" (this is Cisco's name for it),

ftp fixup is just an old name for the same function - application inspection. It was used at old versions of PIX OS (prior to 7.x) and some other devices. For all IOS and PIX/ASA OS 7.x and above Cisco is using term application inspection which is a part of MPF. You will not find ftp fixup term in any more or less recent Cisco book or online document. May be just as a reference to the old alias.

Quote
they watch for an outgoing connection on port 21 and keep track of the destination ip, and will then allow an incoming connection on any of the high ports from that ip, forwarding it to the host from which the outgoing connection came.
This works very well - provided the standard ftp port is used - and it works with pretty much ALL of the router/firewalls out there.

Maybe, I did not check. I know that any cisco/checkpoint/juniper device "drills" very specific "hole", using source and destination IP addresses and ports for every FTP-DATA connection. It also tracks connection state, sequence numbers and FTP command used. And much more.
Of course one can hardly expect the same functionality from $100 device, so I can easily believe that it just opens high ports for everybody to the same destination (where NAT is configured to) without actually inspecting anything. But I still hope it does not :-). Anyway I prefer cisco router at my home network edge with all the firewall and IPS policies manually configured and tuned. Much easier to control what is going on. BTW Cisco has very interesting line of express 500 series products which is positioned between Linksys and 800 series. For example SR520 router. It runs real 12.3 IOS stripped of some enterprise faetures like OSPF, BGP, GET VPN, DMVPN. But all the rest, including firewall, VPN, IPS, QoS is in place. And a street price if I am not mistaken is around $250-300.
Certainly it is not for average home setup, but for some small offices or branches it is actually quite good.
Logged
Pages: 1 2 [3]
« previous next »