Client Firewall Setup

From BulletProof Wiki

Contents 1 Introduction 1.1 Problem 1.2 Background 1.3 Requirements 2 Configuring BulletProof FTP Client 3 Operating in Passive-Mode (PASV Mode) (RECOMMENDED) 3.1 Operating in PORT-Mode (Non-PASV Mode) 4 Q & A

Introduction

BulletProof FTP Client fully supports network environments where the computer running the software is behind a network Firewall/NAT. Beginners should read our short tutorial on how FTP works and what role the client plays in its function.

Problem

Typically firewalls don’t allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.

Background

The File-Transfer-Protocol (FTP) was designed way back in 1985 to facilitate early file transfers on the Internet. This robust and elegant protocol allows for the transferring of files from server-to-client and client-to-server. However, being over 20 years old, this protocol isn't without it's downside; it's firewall/nat traversal is highly confusing and can be pretty technical. Not to fear! With a bit of terminology and some guidance, this "HOW-TO" can help you setup BulletProof FTP Client in no time!

Requirements

To configure BulletProof FTP Client correctly you must have the following information and access:

• Administrative access to the computer running the software (Windows Administrative Privileges)
• Administrative access to the network Firewall/NAT appliance (Linksys, Netgear, Cisco, etc)
• BulletProof FTP Client (http://www.bpftp.com) installed and running on the intended computer

Configuring BulletProof FTP Client

Configuring BulletProof FTP Client to operate in Passive-Mode (PASV-mode) is very easy, however you will need to break out the manual for your Firewall/NAT (Linksys, Netgear, Cisco, etc) appliance in order to allow the specified incoming TCP/IP connections.

Operating in Passive-Mode (PASV Mode) (RECOMMENDED)

Operating in PASV-mode is by far the best scenario, as there is no firewall configuration or understanding needed. Smart FTP Administrators will always setup their FTP Servers to operating in PASV-mode as they are usually the ones with a constant connection to the internet, a static-IP address and knowledge of firewall rules and TCP/IP routing.

If you can't get into the FTP Server using PASV-mode, get in contact with the Administrator and ask them to enable it. Chances are it was just an oversight and they'll happily enable the feature.

1. Start BulletProof FTP Client from the Windows Start-Menu and make sure you can clearly see it's main user-interface. If you do not have BulletProof FTP Client installed on your computer, you can download a fully functional trial version from our website (http://www.bpftp.com).
2. From BulletProof FTP Client's main user-interface, pull-down and select Options -> General Options....
3. Check Use passive mode and click OK to save your changes.

If the administrator proves unresponsive; No Problem! You're a smart and savvy internet user, just proceed to the next step and configure your NAT/firewall for PORT mode.

Operating in PORT-Mode (Non-PASV Mode)

1. Start BulletProof FTP Client from the Windows Start-Menu and make sure you can clearly see it's main user-interface. If you do not have BulletProof FTP Client installed on your computer, you can download a fully functional trial version from our website (http://www.bpftp.com).
2. From BulletProof FTP Client's main user-interface, pull-down and select Options -> General Options....
3. Make sure Use passive mode is not checked. Don't click OK just yet...
4. Click on the tab labeled My IP.
5. (Optional) If you have a static IP address or use a DDNS (Dynamic DNS) service (such as the one offered by http://www.dyndns.org) input the value here. I highly recommend that you look into this type of service as most NAT/Firewall support this inside the firmware and the IP address connected to the DNS entry on the fly!
6. Click on the radio-button labeled Use only this port range and enter a range of TCP/IP ports. I recommend using 59,100 through 59,199, but your really only need 1 port per data-connection. A range of 99 would allow you to run up to 99 FTP transfers at any given time. Click OK to save your changes.
7. Now you must login to your NAT/Firewall and setup Port Forwarding of the data-connection ports you defined in Step 6 to be forwarded to the internal ip-address the computer running BulletProof FTP Client.

Due the vast number of NAT/Firewall devices on the market, you're going to need to break-open the manual for your NAT/Firewall. For your convenience, the following URL will direct you to a website (Not Affiliated with BulletProof Software) that might help: http://portforward.com/english/applications/port_forwarding/FTP/FTPindex.htm.

Q & A

Q: Is any configuration necessary on the client at all? A: Yes. If a client cannot connect to a server, it is not necessarily the server's problem. The client must be able to make a connection to the server's port 21. This should be easy enough, and it is probably already default for most users. The client should be able to accept connections on *any* port (active FTP), so the router should forward all ports OR be able to MAKE connections to any port on the server (passive FTP).

Q: I cannot configure my router to forward all ports, either it is outside my control or I cannot figure it out. Besides, it is a major security issue to do this, I will be completely unprotected! A: True. If you have a personal firewall on the client, you can configure it to accept connections coming from port 20 only, and to only allow the FTP client to accept those connections. You can also figure out what the ephemeral port range is on your system, and then just open up that range. (An ephemeral (or dynamic) port is a temporary, short lived port, assigned to the application by the IP stack, taken from a specified pool)

Q: Still, it is impossible for me to do, so I just cannot get active FTP to work. What do I do? A: You rely on passive FTP. You must use the BPFTP client program that can be configured to use passive FTP. When using passive FTP, the client is only required to be able to make a connection to any port on the remote server - not just port 21. However, this should be easy enough. (This situation is what makes the router configuration difficult on the server side)

Q: I am one of the lucky ones to have control over my router, and active FTP might just work, if I use port triggering, right? A: That is right. You will have to figure out the system's ephemeral port range, and then have the router forward these ports, whenever it sees an outbound connection to a remote server's port 21.