Vincenzo Lombardo created NIFI-14719:
----------------------------------------
Summary: Add Port Range Parameter for Passive FTP in ListenFTP
Processor
Key: NIFI-14719
URL: https://issues.apache.org/jira/browse/NIFI-14719
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 2.5.0
Reporter: Vincenzo Lombardo
Currently, the ListenFTP processor in Apache NiFi does not provide a mechanism
to specify a port range for passive FTP mode. When NiFi's ListenFTP processor
is used in an environment with strict firewall rules, the lack of a
configurable passive port range makes it challenging to manage inbound FTP
connections. The default behavior often selects random high-numbered ports,
which necessitates opening a wide range of ports on firewalls, posing a
security risk and increasing administrative overhead.
*This issue is particularly problematic when running NiFi within a Docker
container.* Without a defined port range, exposing random high ports from the
Docker container to the host machine, and subsequently through network
firewalls, becomes unmanageable and highly insecure. It forces users to open an
overly broad range of ports on their Docker host and potentially on external
firewalls, defeating the purpose of network segmentation and security best
practices.
h3. Proposed Solution
Add a new configurable property to the ListenFTP processor called {*}"Passive
Port Range"{*}. This property would allow users to define a specific range of
ports (e.g., {{{}50000-50099{}}}) that the ListenFTP processor should use when
operating in passive FTP mode.
h3. Benefits
* *Improved Security:* Users can restrict the range of ports open on their
firewalls, reducing the attack surface.
* *Easier Firewall Management:* Simplifies firewall configuration by allowing
administrators to define a narrow and predictable set of ports.
* *Enhanced Deployability:* Makes it easier to deploy NiFi's ListenFTP
processor in secure and tightly controlled network environments, {*}especially
in containerized environments like Docker{*}.
h3. Implementation Details & Offer to Contribute
I have already implemented this feature privately for my own use case and would
be happy to *share my changes* and contribute them to the Apache NiFi project.
This could potentially accelerate the integration of this much-needed
functionality into a future release.
h3. User Scenario
A user needs to configure ListenFTP to receive files via passive FTP from
external systems. Their corporate firewall policy requires all inbound
connections to use pre-defined port ranges for security. Without the ability to
specify a passive port range, the user is forced to open a wide, dynamic range
of high ports, or is unable to use ListenFTP effectively in their environment.
*When deploying NiFi in Docker, this problem is exacerbated as manually mapping
random high ports from the container to the host is impractical and insecure,
hindering robust Docker deployments for FTP ingress.*
h3. Expected Behavior
When the "Passive Port Range" property is configured (e.g., to
{{{}50000-50099{}}}), the ListenFTP processor should only use ports within this
specified range for passive data connections. If the property is left
unconfigured, the current default behavior (random high-numbered ports) should
be maintained.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
