Server Firewall Setup

From BulletProof Wiki

Contents 1 Introduction 1.1 Problem 1.2 Background 1.3 Requirements 2 BPFTP Server PASV Setup 2.1 Why PASV Poses Problems for Firewalls 2.2 Why PASV Poses Problems for FTP Servers on Internal Networks 2.3 Why PASV Poses Problems for FTP Servers behind Load-Balancing Routers 2.4 Why PORT Poses Problems for Routing Devices 3 NAT Routers and Windows Firewall 3.1 Connecting To The Server While Inside The LAN 3.2 Connecting To The Server While Outside The LAN 3.3 Windows Firewall Configuration 4 Q & A 4.1 Q: What configuration is needed in the FTP server program itself? 4.2 Q: If I use a personal firewall on the server box, like the built in XP firewall, what do I need to configure? 4.3 Q: Which ports do I need to open on the router? 4.4 Can't I use "port triggering" on the router to protect the port range a bit better?

Introduction

BulletProof FTP Server fully supports network environments where the computer running the software is behind a network Firewall/NAT. Beginners should read our short tutorial on how FTP works and what role the server plays in its function.

Problem

Typically, firewalls don’t let any connections come in at all. When an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn’t appear to work at all for both active and passive FTP

Background

The File-Transfer-Protocol (FTP) was designed way back in 1985 to facilitate early file transfers on the Internet. This robust and elegant protocol allows for the transferring of files from server-to-client and client-to-server. However, being over 20 years old, this protocol isn't without it's downside; it's firewall/nat traversal is highly confusing and can be pretty technical. Not to fear! With a bit of terminology and some guidance, this "HOW-TO" can help you setup BulletProof FTP Server in no time!

Requirements

To configure BulletProof FTP Server correctly you must have the following information and access:

1. Administrative access to the computer running the software (Windows Administrative Privileges)
2. Administrative access to the network Firewall/NAT appliance (Linksys, Netgear, Cisco, etc)
3. BulletProof FTP Server (http://www.bpftpserver.com) installed and running on the intended computer

BPFTP Server PASV Setup

Setting up BulletProof FTP Server to operate in Passive-Mode (PASV-mode) is very easy, however you will need to break out the manual for your Firewall/NAT (Linksys, Netgear, Cisco, etc) appliance in order to allow the specified incoming TCP/IP connections.

1. Start BulletProof FTP Server from the Windows Start-Menu and make sure you can clearly see it's main user-interface. If you do not have BulletProof FTP Server installed on your computer, you can download a fully functional trial version from our website (http://www.bpftpserver.com).
2. From BulletProof FTP Server's main user-interface, pull-down and select Select -> Main -> General.
3. On the left-hand side, click on the TreeView menu-option Multi IP Settings -> Passive Mode.
4. On the right-hand side, check the box labeled Use passive mode IP and then select Fixed IP or Dynamic IP
5. • Fixed IP: If your Internet connection gives you a Static IP enter the real-world IP address for your network connection. To find your real-world IP address, use the BulletProof IP Watcher from the Windows Start-Menu.
   • Dynamic IP: If your Internet connection obtains it's IP address via DHCP, we recommend that you use a DDNS service like DynDns.org and use the assigned hostname.
6. On the right-hand side, enter the Passive Port Range. The values entered in this range will be used when communicating with the CLIENT just before establishing the data-connection. You should enter a range big enough to accommodate the number of concurrent connections you are anticipating for the server. I typically use the range of 6900 to 6909, as this would allow for 10 concurrent data-connections, but you can use any values you wish.
7. Click OK to save your changes and BulletProof FTP Server is now setup to allow PASV-mode connections!

Why PASV Poses Problems for Firewalls

When an FTP server is behind a firewall, there can be problems when FTP clients try to use passive mode to connect to an ephemeral port number (temporary random port number) on the FTP server machine. The most common problem is when the firewall the FTP server is behind is strict, i.e. the firewall allows only a few well-known port numbers in and denies access to all other ports.

• Solution 1: The network administrator of the server network can configure the firewall to allow in the entire ephemeral port range. The range of ephemeral ports that need to be opened up is dependent on the configuration of the server machine that is running the FTP server software -- not the ephemeral ports on the firewall! So, find out how the FTP server machine has configured the ephemeral port range (whose default range varies with the operating system) and then open those ports on the firewall. Ideally, the firewall should be configured so that only that range of ports is accessible to the FTP server machine. Also double check to be sure that there aren't any other TCP services with port numbers in the ephemeral port range listening on the FTP server machine.

• Solution 2: The network administrator of the server network can consult the firewall vendor's documentation to see if FTP connections can be dynamically monitored and ports dynamically opened when a passive FTP connection is detected. This is similar to what intelligent network address translation software can do on the client side for PORT -- the FTP control connections are monitored, and when a packet containing "PASV" from an FTP session is detected, the firewall can automatically open the port.

Why PASV Poses Problems for FTP Servers on Internal Networks

The other server-side problem that can occur is when a client is trying to access an FTP server on an internal network protected by a routing device. Because a server response from PASV includes an IP address and port number, if this IP address corresponds to a private network then the client will not be able to connect to that private address.

• Solution 1: The network administrator of the server network can consult the routing device vendor's documentation to see if FTP connections can be dynamically monitored and dynamically replace the IP address specification for packets containing the PASV response.

Why PASV Poses Problems for FTP Servers behind Load-Balancing Routers

Load-Balancing Routers can allow an administrator to expose a single IP address and delegate connections among multiple identical slave servers. This is similar to Redundant Arrays of Inexpensive Disks (RAID), only instead of disks the array is of TCP/IP servers. Load Balancing provides two challenges for FTP.

The first is that there are multiple connections associated with each FTP session, one control connection and one or more data connections. For PASV data connections to work, the load balancer must be able to send the connection from the client to the same slave server that is handling the control connection.

The second problem, which is related to the first, is that when a slave server replies with the PASV response, the PASV response's IP address must be accessible to the remote client.

• Solution 1: The network administrator of the server network can give each slave server a valid externally accessible IP address. The external IP address of the load balancer could be used as the preferred address, but having each slave server have its own external IP address would allow PASV data connections to connect directly to the slave server without requiring traffic from slaves to pass through the load balancer. It also means that the load balancer does not need to do any special automatic handling of FTP.

• Solution 2: The network administrator of the server network can consult the load balancing router vendor's documentation to see if FTP connections can be handled automatically so that the PASV reply is dynamically rewritten to contain the external IP address of the load balancer.

• Solution 3: If the routing device isn't intelligent enough to take special care of FTP sessions, but has the ability to always forward traffic from the same remote client IP address to the same internal server IP address, then the network administrator of the server network may be able to configure the FTP server software to spoof the address it uses for PASV replies.

For example, BPFTP Server has an option to let you specify an IP address to use for PASV replies rather than the real IP address of the machine. You could use this option to have BPFTP use the external IP address of the routing device and hope that packets sent to that address would be forwarded to the internal IP address of the FTP server machine.

Why PORT Poses Problems for Routing Devices

The biggest problem caused by FTP client programs choosing to use "PORT" to negotiate FTP data connections is the fact that the server must be the connecting out back to the client's IP address. For restrictive firewalls, it is desirable to forbid all incoming connections, so using PORT would cause the connection incoming from the server to fail.

Another big problem is that when a client program is using network address translation to hide behind a routing device on an internal network, when using PORT the client tells a server on the external network to connect to an address on the client's internal network. That almost always results in the routing device denying the connection, or the connection to fail completely if the IP address is a RFC 1918 compliant reserved address (i.e. 192.168.x.x, 172.16.x.x, 10.x.x.x). In either case, the client user will typically experience a discarded connection that is very frustrating since the client program will just lock up until the connection is considered permanently timed-out.

• Solution 1: The client user should configure their FTP client program to use PASV rather than PORT. Using passive mode may not solve the problem if there is a similar restrictive firewall on the server side.

• Solution 2: A better solution is for the network administrator of the client network to use high-quality network address translation software. Devices can keep track of FTP data connections, and when a client on a private network uses "PORT" with an internal network address, the device should dynamically rewrite the packet containing the PORT and IP address and change the address so that it refers to the external IP address of the routing device. The device would then have to route the connection incoming from the remote FTP server back to the internal network address of the client.

NAT Routers and Windows Firewall

Click Here for a full explanation and tips on problems you may run into while configuring your NAT router.

Connecting To The Server While Inside The LAN

A frequent problem people experience when running Bulletproof FTP Server behind a NAT router is the following error message: '530 PASV Command Only Accepts Connection From Client IP Address'. This happens when you try to access the server from inside the LAN by using the public IP address (i.e. the address of the NAT router). The solution is to use the internal IP address when inside the LAN.

Connecting To The Server While Outside The LAN

• Help with Linksys Routers:
  How do I set up an FTP server behind the Router so machines from outside my network can use it?
  How to use Port Forwarding for your FTP server.
  
• Help with NetGear Routers:
  How Do I Make an FTP Server on My Private LAN Visible to the Internet?
  
• Help with D-Link Routers:
  How can I host an FTP Server behind my router?
  How do I disable or turn off the firewall on my router?
  

Windows Firewall Configuration

Problem: I installed Windows XP SP2 and now I can't connect to the server. Resolution: To help provide security for your Windows XP SP2-based computer, Windows Firewall blocks unsolicited connections to your computer. This includes blocking the ports required for an FTP client to connect to the server. In order to use the server with Windows XP SP2 you must configure Windows Firewall to allow incoming connections through port 21 by doing the following:

• Open Windows Security Center in the Control Panel.
• Click or launch Windows Firewall under the heading Manage security settings for.
• Click the Exceptions tab and then click Add Port.
• Enter FTP in the Name box.
• Enter 21 in the Port box.
• Leave TCP selected and click OK.

Note: Your FTP client must be set to Port mode in order to connect to the server. To adjust your windows firewall configurations please visit this link : http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfsettings.mspx

Q & A

Q: What configuration is needed in the FTP server program itself?

A: Two things: First, at passive port range must be selected. We recommend choosing a range of at least several hundred ports starting on 1025 or above, and also to choose a range not used by other programs. To find that out, try "netstat -an" from a command prompt or use TcpView from Sysinternals. Note that when running the FTP server, the port range will not show up in these applications as in use. The server will not allocate a port from the port range until it actually needs one.
Second, you must let the FTP server know the external ip-address. You probably use a router, giving you a privileged ip-address like 192.168.*.*, but the server needs to know what it looks like seen from the client, so it must be aware of the ip-address used by the router. However, some routers are capable of recognizing the PORT command, and will automatically substitute the privileged ip-address with the real one, before sending the command out to the client.

Q: If I use a personal firewall on the server box, like the built in XP firewall, what do I need to configure?

A: You need to allow the FTP server to communicate on the internet and to receive connections. For port oriented firewalls, the server will be receiving connections on port 21 and the entire passive port range chosen. It will also be making outbound connections from port 20, but directed at any port number.

Q: Which ports do I need to open on the router?

A: The router will need to forward port 21, and the entire chosen port range. This is why it is a good idea to choose a port range not used by any other applications, or they will be visible from the Internet. Opening up such a large range of ports could be seen as a security issue, but if no other programs listen on the ports, it is only a problem, if a trojan gets inside - and then you are in trouble anyway. Opening up for a single wrong port (like 445) is far more dangerous than opening up an entire port range of "unused" ports.

Can't I use "port triggering" on the router to protect the port range a bit better?

A: No. Port triggering will open up ports for a single client, when an outbound connection to that client on a specific port is detected by the router. For FTP, the ports should be opened, when an inbound connection is detected on port 21. Some more advanced routers are even FTP aware, and will open up the appropriate port based on what it can read from the communication between the server and the client (for passive FTP, the server will send a port number to the client).