Hello,
Does pfsense offer FTP connection tracking ? I think I am running
into a problem with FTP clients behind our firewall:
Here is the basis of my concern (taken from http://www.linuxchix.org/
content/courses/security/connection_tracking ):
Unlike most networked services, FTP uses two well-known ports, 20 and
21. 20 is the port for FTP data, and 21 is the port for FTP control
information. This makes an extra hole you have to leave in your
firewall when you're an FTP server. But the real problem comes when
you have an FTP client behind a firewall.
FTP Client -------------|----|-------------> FTP server
10.1.1.10 10.1.1.4
port 41327 port 21
The initial connection comes from a high-numbered port on the client
side to the FTP control port, 21. This is going to be allowed through
most firewalls. But the problem is the reply. When you send an FTP
command (ls, get, put, etc.), that opens a whole separate TCP
connection from the server to the client. This causes a problem --
firewalls may block THAT connection.
FTP Client -------------|----|-------------> FTP server
10.1.1.10 | fw | 10.1.1.4
port 41327 | * |------------- port 20
(That source port is 21 if it's sending control info, 20 if it's
sending a file. So, 21 when replying to the initial SYN with SYN, ACK
and that TCP connection. 20 when replying to an ls, get, put, etc.)
But the destination is some port that the FTP client has specified.
If we have a fairly tight firewall, it's not going to allow just any
box to connect through it on a random high port. So that ftp-data
connection gets dropped, and the user sees their FTP client fail
immediately after connection (i.e. "as soon as I try to do
anything"). This type of FTP is called Active FTP, or Active Mode FTP.
