<< Click to Display Table of Contents >> Navigation: Robo-FTP Server > FTP Server Configuration > Firewall Configuration |
When configuring a firewall to allow FTP and FTPS connections, multiple factors cause the the configuration to be significantly more involved than many other modern protocols. In order to fully understand what is involved with the configuration, it would be helpful to review some background information about FTP and FTPS.
Initially, FTP was designed to only support what is now known as "active" mode. The limitations of that mode soon became apparent, and an additional "passive" mode was added to the protocol. Each mode has a different set of requirements when it comes to firewall configuration. With the FTP protocol, no matter the particular mode, communication occurs along two separate channels: the control channel and the data channel. In both active and passive modes, the client connects to the control channel running on a set port, which defaults to inbound port 21. The difference between active and passive modes only appears when the client begins a data transfer (file upload, file download, or directory listing). Before such a transfer begins, the data channel must be set up by a command given on the control channel.
Server-side Firewall Configuration for Active FTP
Inbound |
TCP port 21 (or the value configured for "FTP Port") |
Outbound |
TCP ports 1024-65535 |
In active mode, the server actively connects directly to the client when establishing a data channel. The client first sends the server a PORT or possibly an EPRT command, each of which specifies a single client-side TCP port from range 1024-65535. The server then initiates a connection to that client at the specified port. Therefore, when configuring the firewall for FTP active mode, the only inbound port that needs to be opened on the server is the control channel port. This is the "FTP Port" specified in the Robo-FTP Server Console's FTP Server menu, which defaults to port 21. However, since the client can generally specify any port from 1024 and above for the data channel, the server must allow all outgoing ports from 1024 and above as well.
Server-side Firewall Configuration for Passive FTP
Inbound |
TCP port 21 (or value configured for "FTP Port") and TCP ports 1024-5000 (or range specified for "Passive Port Range") |
Additional Requirements |
Value of "Redirect Passive IP" should be set to the publicly accessible IP address of the FTP server if needed |
In the more commonly used passive mode, the server tells the client which server-side port it should connect to, and passively awaits the connection. When a client begins a data transfer, it first issues a PASV or EPSV command to request the IP address and port number for a new data channel from the server. The server will respond with an available port and its IP address. Once the client receives this data, it will initiate a connection to the server at the specified port and address. In order to accommodate passive mode, the server's firewall must be set up to allow inbound port 21 (or whichever port is configured for "FTP Port"), as well as a range of inbound data channel ports that can be made available to the client when requested.
By default, Robo-FTP Server is configured to provide data channel ports from range 1024-5000. This can be modified by adjusting the "Passive Port Range" in the Robo-FTP Server Console's FTP Server page. The firewall must be configured to allow inbound connections on all ports specified in this "Passive Port Range".
Keep in mind that if the server is behind a firewall or NAT, it may not be aware of its own public IP address, which must be returned to the client when responding to the PASV / EPSV command. Some firewalls are able to understand the FTP protocol and will transparently rewrite the relevant network traffic so that the client receives the correct public IP address. However, this is not always possible or may require additional firewall configuration. In such a case, it will be necessary for the Robo-FTP Server administrator to manually configure the public IP address. This can be set in the "Redirect Passive IP" field on the Robo-FTP Server Console's FTP Server menu.
Special Considerations for FTPS
The FTPS protocol is essentially the FTP protocol delivered over a secure SSL/TLS-encrypted data stream. This means that the above discussion regarding firewall configuration for active and passive mode also applies to FTPS. However, there are some additional points that apply specifically to FTPS. There are two possible ways to securely connect to an FTPS server. These are referred to as "implicit FTPS" and "explicit FTPS".
Implicit FTPS
Inbound |
TCP port 990 (or value configured for "FTPS Implicit Port") |
Outbound |
(Same as regular FTP) |
With implicit FTPS, a special "FTPS implicit port" (defaulting to 990) is set aside which only accepts SSL/TLS-encrypted connections. When a client connects over this port, it is implicitly assumed that the connection will be SSL/TLS-encrypted from the very beginning, and only encrypted traffic will be understood by the server on this port.
Explicit FTPS
Inbound |
(Same as regular FTP) |
Outbound |
(Same as regular FTP) |
In contrast, with the more common "explicit FTPS", when a connection is established, it is not immediately apparent whether the client intends to communicate using plain FTP, or with the more secure FTPS. In this case, the server's normal FTP port is considered dual-use: a client can connect to this port and issue an explicit command to upgrade the connection to SSL-secured FTPS, or it can continue using insecure FTP on that same connection. Note that Robo-FTP Server provides an option to require such a connection be immediately upgraded to use SSL/TLS ("Allow secured connections only").