Firewall – FTP Active/Passive not working like I expect

firewallftppassive

So I've got an interesting issue at the moment. I'm attempting to use curl (7.15.5 on CentOS) to retrieve a file from a remote FTP server. Our client changed something last weekend, because it worked on Friday and doesn't now.

I can FTP in using the CLI client, and get a directory listing just fine, although I have to issue "passive" to turn passive mode off. If I don't, I get

421 Service not available, remote server has closed connection
Passive mode refused.  Turning off passive mode.
No control connection for command: Transport endpoint is not connected
ftp>

Alright. Obviously, passive mode needs to be disabled. I've read the man page a few times and I understand that I need to use -P to specify "active" mode, however from the documentation it seems like this will open a port on the client (my) machine for the data to stream to. Since it's behind a firewall, this won't work.

This tells me that I misunderstand something, because the CLI client works in active mode.

Help me serverfault-kenobi, you're my only hope.

Best Answer

This link explains Active vs Passive very well.

Related Solutions

Firewall – problem with passive FTP behind cisco asa firewall

Ancient topic, but I ran into similar problems recently and figured my $.02 might help somebody.

In my case, we're running IIS 7.5 behind a slightly older version of ASA, which we're in the process of replacing. We have an existing FTP site and my plan was to simply add FTPS support with the certificate & maybe getting our network admins to open up a few ports. IIS has a similar masquerade setting for each FTP site named "External IP Address of Firewall", which is, itself, misleading.

the TL/DR version: If your FTP server allows you to specify a masquerade IP & a range of ports used for PASV connections, you SHOULD be able to fix this by opening up those ports & disabling ftp inspection.

Due to some some other constraints, I wasn't able to get inspection disabled on our ASA, so I had to make some compromises. Here's what I observed/learned:

The ASA can only inspect non-encrypted traffic. duh?
The default behavior of the ASA is to inspect a number of protocols, including FTP.
the client authenticates on server port 21 and determines the feature set supported by the server.
The client, if so configured, will send a PASV request to the server
The server will respond with "227 entering passive mode (a,b,c,d,e,f)" where a.b.c.d is the server address and e*256 + f = port number
The a.b.c.d address will be the internal IP unless the masquerade address is configured
the FTP inspection will rewrite the a.b.c.d address to the external IP and open up the specified port for this client.
If the a.b.c.d address IS the external address, the response packet is discarded. *This might be due to the strict option, which I could not verify.
CuteFTP will recognize a non-routable IP in the PASV response and attempt to use the server's external address instead.
the ASA can't read the SSL-encrypted FTPS traffic, so it bypasses the inspection and works.

So in our case, when I set the masquerade IP, I was able to connect just fine via FTPS, but regular FTP would fail. When I removed the masquerade IP, I was still able to connect to both FTP and FTPS using CuteFTP, but our primary client wasn't able to connect to FTPS. (their system wasn't "smart" enough to translate the non-routable IP...)

So my lame workaround was using two separate sites: one that used a masquerade IP and required SSL, the other site that didn't.

TMI, but maybe it helps somebody work through this.

Iis – Passive ftp on Server 2008

In the command prompt of the server, enter these two commands to open the firewall:

First command:

netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21

Second command:

netsh advfirewall set global StatefulFtp enable

In Amazon EC2, you also have to set up a security group to open the passive ports, such as 1025 to 7000.

Related Topic