SSL FTP through the firewall using FileZilla

SSL FTP through the firewall using FileZilla
I've confirmed that the firewall is the issue here. I can make the SSL FTP connection, but when FileZilla tries to do a directory listing, it's blocked because that (random) port isn't open. When I try the connection behind the firewall, everything's hunky dory.

Has anyone else experienced this, and if you did, were you able to get past it?
******************************************************************************

Normally, FTP control connection is on port 21. Though, there's another port that's sometimes used for SSL FTP. (but, not always!)

In active FTP, the "origin" (or "source") port number for data connections should always be 20 -- so if that's allowed through your firewall, you should be okay.

Unfortunately, many people will read my previous statement and assume that I mean something different from what I just said. Whenever you make a TCP connection (regardless of what application protocol you're using) there's always TWO ports involved. There's the origin port (the port used by the program that's originating the connection) and the destination port (the port that it's connecting to.)

Normally, we don't give much thought to the origin port. Usually, the firewalls are configured according to the destination port. That would be port 21 for FTP control channel, port 23 for telnet, port 80 for HTTP, etc. These are the well-known port numbers. Normally the origin port is selected by the operating system at random, and it's not used, certainly never used in a firewall configuration.

However, FTP is one exception. FTP's data channels, when in ACTIVE mode, will always have an ORIGIN of 20, and use a random port for the destiantion. That's backwards of the way everything else works! But, you SHOULD be able to configure your firewall so that anything that's going FROM port 20 on the Internet, to a random port on your network is allowed. (As opposed to the normal circumstance of FROM a random port on your network TO a fixed port on the Internet )

Unfortunately, I only know for sure that plain-text FTP works that way, I don't know for sure that SSL FTP works that way, but I would assume so. (You should be able to tell by looking at the connection statuses)

The more common alternative (which I already suggested) is to allow ALL outgoing connections from your network, but only block incoming ones. In that scenario, passive mode will work just fine.

Note that if you're using NAT, the passive mode solution will work, but the active mode (port 20) solution WON'T because NAT will re-map the IP addresses and ports, which will confuse FTP. A good NAT implementation will sniff the packets looking for the port number being sent, and will change it in the TCP packets as well, but this doesn't work with SSL because of the encryption.

So if you're using NAT, you'll want to use passive mode, and allow all outgoing connections from your firewall.

I guess the final alternative is to figure out the range of ephemeral ports that IBM uses in their FTP software, and open them all through your firewall. I know that FreeBSD (a free variant of Unix, much like Linux) lets you control what the ephemeral port range is -- but as far as I know, IBM doesn't let you control that in i5/OS, nor do they tell you what the range is. So that's hard to work with.

This is one reason why so many people use SSH or HTTP instead of FTP/SSL for sending secure documents. This port number business really messes up firewalls.

******************************************************************************
You might also be interested in the following APAR from IBM:

Abstract
FTP Clear Command Channel

Error Description
With the support of FTP using SSL/TLS, a NAT firewall can no   
longer look at/change the information passed on an FTP control 
connection.                                                   

Problem Summary
With the support of FTP using SSL/TLS, a NAT firewall can no   
longer look at/change the information passed on an FTP control 
connection.                                                   

Problem Conclusion
FTP client subcommand CCC                                     
                                                              
FTP supports two kinds of transmission modes: the clear text   
mode and the encrypted mode. If you use the clear text mode in 
an FTP control connection, you take the risk of exposing your 
sensitive information to an intruder. If you use the encrypted 
mode, the firewall is not able to monitor or change the       
information sent within the FTP control connection. Thus the   
firewall cannot perform some functions such as network address 
translation.                                                   
                                                              
The Clear Command Channel (CCC) subcommand changes the         
transmission mode in a control connection from the encrypted   
mode to the clear text mode. Thus, you can secure sensitive   
information including your user name and password by sending   
them in the encrypted mode in the control connection. Then you 
can use the CCC subcommand to change to clear text mode to     
send the port and IP information.                             
                                                              
Note: After using the CCC subcommand, you will send all your   
information in the clear text mode in the control connection. 
If the names of files or directories on your system contain   
sensitive information, be aware that any names sent on the     
control connection after running the CCC subcommand are not   
protected. However, the data connection transmission mode     
remains intact and the data transfer that happens afterward is 
still secure.                                                 
                                                              
Customers can either allow or disallow an individual user to use
                                                              
CCC by granting the private authority to                       
QIBM_QTMF_CLIENT_REQ_10                                       
via the CHGFCNUSG command or via iSeries Navigator Application 
Administration support.                                       
                                                              
For example:                                                   
CHGFCNUSG FCNID(QIBM_QTMF_CLIENT_10) USER(user) USAGE(*ALLOWED)
                                                              
FTP Server Subcommand CCC                                     
                                                              
When FTP server receives a Clear Command Channel (CCC)         
subcommand,                                                   
it first checks whether or not the current user has the       
authority                                                     
to perform the CCC command. If the user has the authority, it 
then                                                           
accepts the command by sending a confirm message back to the FTP
                                                              
client                                                         
side, then the FTP server changes the transmission mode in a   
control                                                       
connection from the encrypted mode to the clear text mode.     
                                                              
The Clear Command Channel (CCC) subcommand changes the         
transmission mode                                             
in a control connection from the encrypted mode to the clear   
text mode.                                                     
Thus, you can secure sensitive information including your user 
name and                                                       
password by sending them in the encrypted mode in the control 
connection.                                                   
Then you can use the CCC subcommand to change to the clear text
                                                              
mode and                                                       
send the port and IP information.                             
                                                              
Security Concerns:                                             
                                                              
Note that there are potential security/integrity exposures with
                                                              
using the CCC approach as compared to full encryption of the   
control                                                       
connection.                                                   
                                                              
First, this results in file and directory names on the FTP     
server to be subject to interception. It is possible that such 
names                                                         
themselves could contain sensitive or confidential information.
                                                              
Second, IP address/port information transferred on the control 
connection is subject to interception by hackers.             
                                                              
Finally, some other "direct" TCP attacks on an FTP server, or 
using an FTP server to attack other systems, are completely   
eliminated when a secure control connection                   
is used. Some of those are now again possible when the         
control connection                                             
reverts to "clear" mode.                                       
                                                              
Because of these concerns, usage of the CCC subcommand is     
controlled using the i5/OS Function Usage interface, and the   
default setting for                                           
CCC is *DENIED for the FTP server.                             
                                                              
To allow an individual user logged into the FTP server to use 
the CCC subcommand for ending protection of the control       
connection, give *ALLOWED                                     
usage to the QIBM_QTMF_SERVER_REQ_10 function via the CHGFCNUSG
                                                              
command or                                                     
iSeries Navigator Application Administration support. For     
example:                                                       
                                                              
CHGFCNUSG FCNID(QIBM_QTMF_SERVER_REQ_10)  USER(user)           
USAGE(*ALLOWED)                                               
                                                              
To allow all users to perform this function, change the default
                                                              
authority of this function to *ALLOWED.                       
                                                              
RFC 4217 Securing FTP with TLS, talks about Clear Command     
Channel.    

It discusses the CCC FTP Command that can be used to disable encryption so that NAT can see the port numbers and adjust them accordingly. (With the obvious drawback that encryption has been turned off, and therefore the filenames and stuff like that are visible unencrypted).

It provides a PTF for V5R4 that enables this CCC command -- which isn't available in i5/OS, otherwise.

(Though, since you're using FileZilla, you might look to see if FileZilla already supports CCC)
Reply With Quote