Active FTP



  • So, here is my issue.  Just about every large scale scanner/printer I have run into in the last 10 years uses Active FTP.  Obviously the reason they can't use Passive FTP is because that would make life easy.

    I have PFSense firewalls on both sides.

    Side A: Scanner/Printer + Client network
    Side B: FTP server

    I don't want to DMZ the scanner (seems like it could be abused) nor do I want to setup a VPN from side A to B (security risk).  How can I make this work?


  • Rebel Alliance Global Moderator

    On side A allow from side B IP and source port 20 traffic and on side B setup outbound static port NAT.  So after the NAT traffic will still be coming from source port 20.



  • … nor do I want to setup a VPN from side A to B (security risk)

    You can limit the tunnel to the involved hosts also by firewall e.g. such that only the scanner has access to the FTP server via the VPN tunnel, and there's no need to route the complete network. Will be more secure than using unencrypted FTP, which I assume it is, over the Internet.



  • @johnpoz:

    On side A allow from side B IP and source port 20 traffic and on side B setup outbound static port NAT.  So after the NAT traffic will still be coming from source port 20.

    Johnpoz, this sounds like a great idea, however I think you typed this quickly as it seems to be missing some information.  Could you elaborate in detail?

    Thanks!



  • Did you tried native built in ftp proxy on pfSense.

    One simple rule allowing port 21 on starting traffic interface could do the job.



  • @marcelloc:

    Did you tried native built in ftp proxy on pfSense.

    One simple rule allowing port 21 on starting traffic interface could do the job.

    Unless I'm gravely mistaken, the FTP proxy only works correctly with Passive FTP.  Additionally, I've already tried.



  • Ok, here was my solution, although it sounds like there might have been other solutions available.  Our FTP server is just one of several servers behind the PfSense firewall on side B.  Therefore, it was given a virtual IP.  Outgoing connections on side B go out through the main firewall IP address, but incoming connections to that FTP server go in through the virtual IP address.  Therefore, we created a NAT + Firewall rule on side A that routes ports 1-65535 to the printer when the connection comes from the main firewall IP address on side B.

    This seems like such a broken and poor way to do this, but it seems better than VPNing the systems together as far as security goes. Johnpoz sounded like he had an idea, but either he left out some critical details or I'm missing something as I have tried combinations of what it seems like he was saying to no effect.  Perhaps if Johnpoz comes back to this thread, he can expand upon his idea in detail so I can understand.  My solution will obviously only work in very specific situations so it would be nice to see a solution that was designed for a larger variety of equipment configurations.


  • Rebel Alliance Global Moderator

    So your printer is making the connection right? is it doing active or passive?

    If it is using active then it would tell the server some random port to come back on from source port 20 on the server side.

    In a passive connection the server would give it some random Port and the client would connect to this random port from some random port on its site.

    Here is a good writeup on active passive ftp connections.
    http://slacksite.com/other/ftp.html

    What is your printer using, can you change it to use either?  And then would be happy to give you an exact drawing with examples of what I was thinking.  Here is a basic drawing we can work with - so if you can fill in the details of what the private network is on side A, and what the private network is on side B.  And maybe some example public networks we can work - Say 24.13.a.x and 24.13.b.x, and for understanding what ftp server software your running we can walk through the exact sort of setup.

    An important piece of the puzzle is your printer/client using active or passive.  And if can be set to use one or the other.  Any way the printer can do sftp vs ftp.  Sftp just uses your ssh port, normally 22 and no need for any weird stuff.  What specific printer is it?




  • @johnpoz:

    So your printer is making the connection right? is it doing active or passive?

    If it is using active then it would tell the server some random port to come back on from source port 20 on the server side.

    In a passive connection the server would give it some random Port and the client would connect to this random port from some random port on its site.

    Here is a good writeup on active passive ftp connections.
    http://slacksite.com/other/ftp.html

    What is your printer using, can you change it to use either?  And then would be happy to give you an exact drawing with examples of what I was thinking.

    The printer, like many Sharp and older Ricoh printers, is using Active FTP.  If it was using passive FTP, it would be simple to setup, however due to (what I'm guessing is insanity during the design phase) I have encountered more industrial printers that use active FTP than ones that support passive FTP.

    Here is the step by step of what is happening.

    1. User scans file and sends file to server.
    2. Scanner attempts to connect to server.
    3. Scanner authenticates via FTP to remote FTP server.
    4. Scanner attempts to open a data-connection.
    5. Scanner tells FTP server to connect BACK to the scanner on a random port(s) above 1023.
    6. FTP server connects back to the scanner and attempts to grab the file stream for placement.
    7. File finishes uploading and data connection closes.  Scanner disconnects from FTP server.

    From the diagram on page: http://slacksite.com/other/ftp.html it seems like what you might have been saying is that we can setup a rule that states that connections that come FROM port 20 on side B (FTP server side) should be allowed route to the scanner.  This would remove the requirement for ports 1-65535 to be routed and should still work… correct?



  • @johnpoz:

    What is your printer using, can you change it to use either?  And then would be happy to give you an exact drawing with examples of what I was thinking.  Here is a basic drawing we can work with - so if you can fill in the details of what the private network is on side A, and what the private network is on side B.  And maybe some example public networks we can work - Say 24.13.a.x and 24.13.b.x, and for understanding what ftp server software your running we can walk through the exact sort of setup.

    An important piece of the puzzle is your printer/client using active or passive.  And if can be set to use one or the other.  Any way the printer can do sftp vs ftp.  Sftp just uses your ssh port, normally 22 and no need for any weird stuff.  What specific printer is it?

    Yes, that would be a great solution to switch it to passive FTP or to set it up for SFTP.  I wish I could do either.


  • Rebel Alliance Global Moderator

    Ok so your using active.  Which means the client sends some random Port and server will connect to your client on that port from Port 20.

    The issue is, that on site B the servers source port is 20.  But after it goes through NAT that port could be random.  Which is why you need to setup a static port nat.  In a normal nat setup you run into this – these are source ports going to say port 1028 on server from client

    privateip:20 --->public:2028 (NAT router) publicIP:randomPORT ---> public:2028

    Now to be honest your ftp helper on side A should allow for this and send the traffic in to your client.  No matter what the source port is.

    All you really should have to do is setup site B to forward 21 to your server - you could lock this down so only site A IP is allowed.

    When your server comes back to site A -- your ftp helper should allow the connection back in.  I don't have any problems using active pfsense from behind a nat.  Now if you lock down B to only allow specific ports outbound you might have issues?  What are your lan rules on site B?  Do you allow all outbound ports?  Even if you do not, just allow all outbound ports to site A IP from source of your ftp server private IP on your lan rules and you should be good.

    What version of pfsense are you using btw.  I know I have no problems with active connections to ftp server from my clients - I am using 2.1 version of pfsense.  Let me make a test connection to show you.

    edit:  So here is active connection to server on the public internet from client behind nat

    Status: Resolving address of snipped.net
    Status: Connecting to 173.xx.xx.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 snipped FTP Server
    Command: USER johnpoz
    Response: 331 Password required for johnpoz
    Command: PASS **********
    Response: 230 User johnpoz logged in
    Command: SYST
    Response: 215 UNIX Type: L8
    Command: FEAT
    Response: 211-Features:
    Response: MDTM
    snipped for brevity
    Response: REST STREAM
    Response: SIZE
    Response: 211 End
    Command: OPTS UTF8 ON
    Response: 200 UTF8 set to on
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is the current directory
    Command: TYPE I
    Response: 200 Type set to I
    Command: PORT 192,168,1,100,98,136
    Response: 200 PORT command successful
    Command: MLSD
    Response: 150 Opening ASCII mode data connection for MLSD
    Response: 226 Transfer complete
    Status: Directory listing successful

    So you see there where client sent its Private IP of 192.168.1.100 on port (256x98+136 = 25224)

    And pfsense helper changed that IP to my public one, and allowed the connection back into my client.  Unless your blocking outbound connections on your side B.  You should have no issues.  And only rule you should need is forward 21 on side B, and allow the ports outbound on your Side A

    So I just looked in my states after doing a few refreshes, so the PORT command changes every time you make a data connection.

    192.168.1.100:25238 <- 24.13.xx.xx:25238 <- 173.xx.xx.xx:20

    Notice how the public port is same as private port - that is doing a static nat.  That is not always the case in a napt nat setup you could have something like this in the state

    192.168.1.100:2283 <- 24.13.xx.xx:25238 <- 173.xx.xx.xx:20


Locked