<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall and FTP</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="FTP"></a>Shorewall and FTP</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2003, 2004, 2005, 2006 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id278208"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Protocol">FTP Protocol</a></span></dt><dt><span class="section"><a href="#Conntrack">Linux FTP connection-tracking</a></span></dt><dt><span class="section"><a href="#Ports">FTP on Non-standard Ports</a></span></dt><dt><span class="section"><a href="#Rules">Rules</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Protocol"></a>FTP Protocol</h2></div></div></div><p>FTP transfers involve two TCP connections. The first <span class="bold"><strong>control</strong></span> connection goes from the FTP client to port
21 on the FTP server. This connection is used for logon and to send
commands and responses between the endpoints. Data transfers (including
the output of “<span class="quote">ls</span>” and “<span class="quote">dir</span>” commands) requires
a second data connection. The <span class="bold"><strong>data</strong></span>
connection is dependent on the <span class="bold"><strong>mode</strong></span> that
the client is operating in:</p><div class="variablelist"><dl><dt><span class="term">Passive Mode</span></dt><dd><p>(often the default for web browsers) -- The client issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client.
The PASV reply gives the IP address and port number that the server
is listening on. The client then opens a second connection to that
IP address and port number.</p></dd><dt><span class="term">Active Mode</span></dt><dd><p>(often the default for line-mode clients) -- The client
listens on a dynamically-allocated port then sends a PORT command to
the server. The PORT command gives the IP address and port number
that the client is listening on. The server then opens a connection
to that IP address and port number; the <span class="bold"><strong>source
port</strong></span> for this connection is 20 (ftp-data in
/etc/services).</p></dd></dl></div><p>You can see these commands in action using your linux ftp
command-line client in debugging mode. Note that my ftp client defaults to
passive mode and that I can toggle between passive and active mode by
issuing a “<span class="quote">passive</span>” command:</p><pre class="programlisting">[teastep@wookie Shorewall]$ <span class="bold"><strong>ftp ftp1.shorewall.net</strong></span>
Connected to lists.shorewall.net.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-
220-You are user number 1 of 50 allowed.
220-Local time is now 10:21 and the load is 0.14. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
500 Security extensions not implemented
500 Security extensions not implemented
KERBEROS_V4 rejected as an authentication type
Name (ftp1.shorewall.net:teastep): <span class="command"><strong>ftp</strong></span>
331-Welcome to ftp.shorewall.net
331-
331 Any password will work
Password:
230 Any password will work
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> <span class="bold"><strong>debug</strong></span>
Debugging on (debug=1).
ftp> <span class="bold"><strong>ls</strong></span>
---> <span class="emphasis"><em>PASV</em></span>
<span class="emphasis"><em>227 Entering Passive Mode (192,168,1,193,195,210)</em></span>
---> LIST
150 Accepted data connection
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp> <span class="bold"><strong>passive</strong></span>
Passive mode off.
ftp> <span class="bold"><strong>ls</strong></span>
<span class="emphasis"><em>---> PORT 192,168,1,3,142,58</em></span>
200 PORT command successful
---> LIST
150 Connecting to port 36410
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp></pre><p>Things to notice:</p><div class="orderedlist"><ol type="1"><li><p>The commands that I issued are <span class="bold"><strong>strongly
emphasized</strong></span>.</p></li><li><p>Commands sent by the client to the server are preceded by
---></p></li><li><p>Command responses from the server over the control connection
are numbered.</p></li><li><p>FTP uses a comma as a separator between the bytes of the IP
address.</p></li><li><p>When sending a port number, FTP sends the MSB then the LSB and
separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates to 142*256+58 = 36410.</p></li></ol></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Conntrack"></a>Linux FTP connection-tracking</h2></div></div></div><p>Given the normal loc->net policy of ACCEPT, passive mode access
from local clients to remote servers will always work but active mode
requires the firewall to dynamically open a “<span class="quote">hole</span>” for the
server's connection back to the client. Similarly, if you are running an
FTP server in your local zone then active mode should always work but
passive mode requires the firewall to dynamically open a
“<span class="quote">hole</span>” for the client's second connection to the server. This
is the role of FTP connection-tracking support in the Linux kernel.</p><p>Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
modified by the firewall. This is the job of the FTP nat support kernel
function.</p><p>Including FTP connection-tracking and NAT support normally means
that the modules “<span class="quote">ip_conntrack_ftp</span>” and
“<span class="quote">ip_nat_ftp</span>” need to be loaded. Shorewall automatically loads
these “<span class="quote">helper</span>” modules from
/lib/modules/<<span class="emphasis"><em>kernel-version</em></span>>/kernel/net/netfilter/
and you can determine if they are loaded using the “<span class="quote">lsmod</span>”
command. The <<span class="emphasis"><em>kernel-version</em></span>> may be obtained
by typing</p><pre class="programlisting"><span class="command"><strong>uname -r</strong></span></pre><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Note: If you are running kernel 3.6.19 or earlier, then the module
names are <span class="bold"><strong>ip_nat_ftp</strong></span> and <span class="bold"><strong>ip_conntrack_ftp</strong></span> and they are normally loaded
from
/lib/modules/<<span class="emphasis"><em>kernel-version</em></span>>/kernel/net/ipv4/netfilter/.</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Because the ftp helper modules must read and modify commands being
sent over the command channel, they won't work when the command channel
is encrypted through use of TLS/SSL.</p></div><div class="example"><a id="Example1"></a><p class="title"><b>Example 1. Example (Kernel 3.2.20)</b></p><div class="example-contents"><pre class="programlisting">[root@lists etc]# lsmod
Module Size Used by Not tainted
iptable_filter 3072 1
iptable_mangle 2816 0
iptable_nat 7684 0
iptable_raw 2048 0
ip_tables 12232 4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter
ipt_addrtype 1920 0
ipt_ah 2048 0
ipt_CLUSTERIP 8708 0
ipt_ecn 2304 0
ipt_ECN 3072 0
ipt_iprange 1920 0
ipt_LOG 6528 0
ipt_MASQUERADE 3456 0
ipt_NETMAP 2048 0
ipt_owner 2048 0
ipt_recent 9496 0
ipt_REDIRECT 2048 0
ipt_REJECT 4608 0
ipt_SAME 2432 0
ipt_TCPMSS 4096 0
ipt_tos 1664 0
ipt_TOS 2304 0
ipt_ttl 1920 0
ipt_TTL 2432 0
ipt_ULOG 8068 0
nf_conntrack 59864 28 ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_ama
nda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_
h323,nf_conntrack_ftp,xt_helper,xt_state,xt_connmark,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 5248 1 nf_nat_amanda
<span class="bold"><strong>nf_conntrack_ftp</strong></span> 9728 1 nf_nat_ftp
nf_conntrack_h323 50396 1 nf_nat_h323
nf_conntrack_ipv4 17932 2 iptable_nat
nf_conntrack_irc 7064 1 nf_nat_irc
nf_conntrack_netbios_ns 3072 0
nf_conntrack_netlink 26240 0
nf_conntrack_pptp 6912 1 nf_nat_pptp
nf_conntrack_proto_gre 5632 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 8328 0
nf_conntrack_sip 9748 1 nf_nat_sip
nf_conntrack_tftp 5780 1 nf_nat_tftp
nf_nat 17964 14 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amand
a,nf_conntrack_netlink,iptable_nat
nf_nat_amanda 2432 0
<span class="bold"><strong>nf_nat_ftp</strong></span> 3584 0
nf_nat_h323 7808 0
nf_nat_irc 2816 0
nf_nat_pptp 3840 0
nf_nat_proto_gre 3204 1 nf_nat_pptp
nf_nat_sip 4608 0
nf_nat_snmp_basic 10372 0
nf_nat_tftp 1920 0
xt_CLASSIFY 1920 0
xt_comment 1920 0
xt_connmark 2432 0
xt_conntrack 2944 0
xt_dccp 3588 0
xt_hashlimit 10252 0
xt_helper 2688 0
xt_length 1920 0
xt_limit 2688 0
xt_mac 1920 0
xt_mark 1920 0
xt_MARK 2304 0
xt_multiport 3328 1
xt_NFLOG 2176 0
xt_NFQUEUE 2048 0
xt_physdev 2704 2
xt_pkttype 1920 0
xt_policy 3840 0
xt_state 2560 0
xt_tcpmss 2304 0
xt_tcpudp 3328 0
[root@lists etc]#</pre></div></div><br class="example-break" /><p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Ports"></a>FTP on Non-standard Ports</h2></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you are running <span class="bold"><strong>kernel 2.6.19 or
earlier</strong></span>, replace <span class="bold"><strong>nf_conntrack_ftp</strong></span> with <span class="bold"><strong>ip_conntrack_ftp</strong></span> in the following instructions.
Similarly, replace <span class="bold"><strong>nf_nat_ftp</strong></span> with
<span class="bold"><strong>ip_nat_ftp</strong></span>.</p></div><p>The above discussion about commands and responses makes it clear
that the FTP connection-tracking and NAT helpers must scan the traffic on
the control connection looking for PASV and PORT commands as well as PASV
responses. If you run an FTP server on a nonstandard port or you need to
access such a server, you must therefore let the helpers know by
specifying the port in /etc/shorewall/modules entries for the helpers.
</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>You must have modularized FTP connection tracking support in
order to use FTP on a non-standard port.</p></div><div class="example"><a id="Example2"></a><p class="title"><b>Example 2. if you run an FTP server that listens on port 49 or you need to
access a server on the Internet that listens on that port then you would
have:</b></p><div class="example-contents"><pre class="programlisting">loadmodule nf_conntrack_ftp ports=21,49
loadmodule nf_nat_ftp # NOTE: With kernels prior to 2.6.11, you must specify the ports on this line also</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>you MUST include port 21 in the ports list or you may have
problems accessing regular FTP servers.</p></div><p>If there is a possibility that these modules might be loaded
before Shorewall starts, then you should include the port list in
/etc/modules.conf:</p><pre class="programlisting">options nf_conntrack_ftp ports=21,49
options nf_nat_ftp</pre><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:</p><div class="orderedlist"><ol type="1"><li><p>Unload the modules and restart shorewall:</p><pre class="programlisting"><span class="command"><strong>rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart</strong></span></pre></li><li><p>Reboot</p></li></ol></div></div></div></div><br class="example-break" /></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Rules"></a>Rules</h2></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you run an FTP server behind your firewall and your server
offers a method of specifying the external IP address of your firewall,
DON'T USE THAT FEATURE OF YOUR SERVER. Using that option will defeat the
purpose of the ftp helper modules and can result in a server that
doesn't work.</p></div><p>If the policy from the source zone to the destination zone is ACCEPT
and you don't need DNAT (see <a class="ulink" href="FAQ.htm#faq30" target="_self">FAQ 30</a>)
then <span class="bold"><strong>you need no rule</strong></span>.</p><p>Otherwise, for FTP you need exactly <span class="bold"><strong>one</strong></span> rule:</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT or <<span class="emphasis"><em>source</em></span>> <<span class="emphasis"><em>destination</em></span>> tcp 21 - <external IP addr> if
DNAT ACTION = DNAT</pre><p>You need an entry in the ORIGINAL DESTINATION column only if the
ACTION is DNAT, you have multiple external IP addresses and you want a
specific IP address to be forwarded to your server.</p><p>Note that you do <span class="bold"><strong>NOT </strong></span>need a rule
with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
mailing list and they show 20 in the PORT(S) column, I will know that you
haven't read this article and I will either ignore your post or tell you
to RTFM.</p><p>Shorewall includes an FTP macro that simplifies creation of FTP
rules. The macro source is in
<code class="filename">/usr/share/shorewall/macro.FTP</code>. Using the macro is
the preferred way to generate the rules described above. Here are a couple
of examples.</p><div class="example"><a id="Example3"></a><p class="title"><b>Example 3. Server running behind a Masquerading Gateway</b></p><div class="example-contents"><p>Suppose that you run an FTP server on 192.168.1.5 in your local
zone using the standard port (21). You need this rule:</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
FTP/DNAT net loc:192.168.1.5</pre></div></div><p><br class="example-break" /></p><div class="example"><a id="Example4"></a><p class="title"><b>Example 4. Allow your DMZ FTP access to the Internet</b></p><div class="example-contents"><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
FTP/ACCEPT dmz net</pre></div></div><p><br class="example-break" /></p><p>Note that the FTP connection tracking in the kernel cannot handle
cases where a PORT command (or PASV reply) is broken across two packets or
is missing the ending <cr>/<lf>. When such cases occur, you
will see a console message similar to this one:</p><pre class="programlisting">Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</pre><p>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT:info dmz net tcp - 20</pre><p>The above rule accepts and logs all active mode connections from my
DMZ to the net.</p></div></div></body></html>
