This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inbound FTP Passive Mode

I have an FTP server running behind my UTM 9.605. It's set up for passive mode connection and to use TLS on a non-standard FTP port (2121).

Right now I have it configured to use a specific range of ports for PASV connections. 51000-51050

I have DNAT rules for external traffic on ports 2121 and 51000-51050 through to the FTP server IP and packet filters to allow that traffic through.

Everything works as intended.

But I have to leave those PASV mode ports open all the time.

What is the purpose of the FTP connection tracking helper? Is it to handle the dynamic PASV mode ports for an internal FTP server or to manage the return connection port 22 on ACTV mode FTP for internal clients? Would it still work using TLS?

Because I'm using a non-standard port for the FTP connection, is the helper bypassed?

I'd appreciate some insight. Thanks.

It's been a loooong time since I configured a UTM. Back in the Astaro days.



This thread was automatically locked due to age.
Parents
  • The 3 FTP proxy options are described inside this post.

    https://community.sophos.com/products/unified-threat-management/f/recommended-reads/115522/sophos-utm-securing-and-configuring-web-filtering

    All of the proxies are intended to protect client systems from malicious server content, so I don't think they are useful for your situation.   Using them for inbound traffic might create vulnerabilities.  Since the proxies bypass Firewall Rules, you have to be sure that the proxy allows only what you intend to allow.  You can replace Firewall Rule blocks with DNAT-to-DeadEnd rules, but it is clumsy.

    I don't see any incremental risk from allowing all of those ports to be open on UTM, since they will only be open on the FTP server when they are needed.

    The related issue is to understand the inadequacy of FTP.   Neither the login nor the download is encrypted, so a login-based FTP is unwise, and downloading sensitive data may be unwise.   Any login from the internet should be moving to 2-factor authentication instead of just username and password.

    Your better options are:

    • FTPS, which is easy to do with Microsoft's IIS web server
    • SFTP
    • WAF with downloadable links
    • VPN client

    I believe that any of the first three options can be implemented with or without logins.   Most or all of the options also eliminate the dual-session problem -- I am fuzzy about SFTP as I have not configured an SFTP site.

Reply
  • The 3 FTP proxy options are described inside this post.

    https://community.sophos.com/products/unified-threat-management/f/recommended-reads/115522/sophos-utm-securing-and-configuring-web-filtering

    All of the proxies are intended to protect client systems from malicious server content, so I don't think they are useful for your situation.   Using them for inbound traffic might create vulnerabilities.  Since the proxies bypass Firewall Rules, you have to be sure that the proxy allows only what you intend to allow.  You can replace Firewall Rule blocks with DNAT-to-DeadEnd rules, but it is clumsy.

    I don't see any incremental risk from allowing all of those ports to be open on UTM, since they will only be open on the FTP server when they are needed.

    The related issue is to understand the inadequacy of FTP.   Neither the login nor the download is encrypted, so a login-based FTP is unwise, and downloading sensitive data may be unwise.   Any login from the internet should be moving to 2-factor authentication instead of just username and password.

    Your better options are:

    • FTPS, which is easy to do with Microsoft's IIS web server
    • SFTP
    • WAF with downloadable links
    • VPN client

    I believe that any of the first three options can be implemented with or without logins.   Most or all of the options also eliminate the dual-session problem -- I am fuzzy about SFTP as I have not configured an SFTP site.

Children
  • So they're all to protect the client. Even the FTP proxy under Web Protection.

    Agreed, plain FTP is insecure and shouldn't be used when other options are available. I've set up my FTP server to only use TLS. But didn't want my original post complicated with TLS discussion. The ports used are still the same (on my setup), so that was what I needed to know about.

    I definitely want to be able to block IP ranges or hosts from incoming traffic. It's been my observation that when the Generic Proxy I had set up for FTP traffic didn't require any firewall rules I thought I was missing something. But apparently I'm not. It would be nice if the Generic proxy & FTP Proxy had better access control instead of just "include" lists.

    But it is what it is.

    I'll just stick to the DNAT & Firewall rules and skip any proxying.

     

    Thanks for the feedback, Douglas.