Summary #
Running an FTP server behind a NAT can be very tricky, but it’s possible with a few tweaks to the firewall setup. However, FTP should be avoided if at all possible. FTP is a completely clear text protocol. This means that usernames, passwords, and content are all transported across the Internet unencrypted. Anyone or anything along the way can sniff out your name, password, or files you’re transferring. I better alternative is to use an SFTP server, which is FTP over SSH (http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol). There are several different ways to run an SFTP/SSH server on Windows, including using Cygwin or KpyM. See http://en.wikipedia.org/wiki/List_of_SFTP_server_software for a list of possible options.
If you have to use FTP to support some legacy software, this article will tell you how to configure SecureSchool to pass FTP traffic to your server, and allow your server to talk to the client.
More Information #
The FTP protocol is different from almost every other protocol on the Internet in that the server will actually initiate a connection to the client to transfer data, in addition to the client connecting to the server to issue commands. The client needs to see the FTP server’s side of the traffic coming from the IP address it will initiate more connections on. In SecureSchool, all outgoing NAT’d traffic comes from the primary IP address on the appliance, even if there are port forwards setup.
So for example, SecureSchool has a primary outside IP address of 1.1.1.1 and an additional outside IP address of 1.1.1.2. You have port 20 and 21 forwarded on 1.1.1.2 to your FTP server at 192.168.0.1 . When you connect to the FTP server from outside the network, you would connect to 1.1.1.2 since that’s where your port forward is on. When the server tries to connect back to the client, the client will see the new connection coming from 1.1.1.1 since that’s the primary address on the appliance, and the client will not allow the connection to happen since it’s “supposed” to be talking to 1.1.1.2, not 1.1.1.1.
There are two ways to solve this problem. The simplest way is to forward port 20 and 21 to your FTP server using the primary IP address of the appliance. You do this under “Firewall” -> “Port Forwarding”, and create two port forwards: one for TCP port 20, and one for TCP port 21. For the outside IP address, choose the IP address listed under “Setup” -> “Basic Setup” -> “View” -> “Secondary IP Address”.
The second way is needed if you have more then one FTP server, or if you cannot forward port 20 & 21 on your primary IP address for some reason. When you setup an Address Forward, all outgoing traffic from the inside server associated with the Address Forward goes out from the outside IP address associated with the Address Forward. The downside of using Address Forwards is that it forwards all ports. Forwarding all ports is required in some cases (like video conferencing devices), but in this case, we want to limit what traffic is allowed in through the Address Forward. Here’s how.
- Create your address forward by going to “Firewall” -> “Address Forwarding”. If there are no available outside IP addresses, you can add one by going to “Setup” -> “Secondary IP Addresses”
- Secure / restrict the address forward by making two firewall rules. The firewall rules process in order based on the Sequence number, and the first rule it finds that matches the traffic, it uses. Add these two rules to limit the Address Forward to FTP only:
- Name: “FTP Server” (or enter a name that makes sense to you)
Type: Allow
Protocol: TCP
Direction: From Internet
Source Address: “0.0.0.0/0”
Source Port: Leave blank
Destination Address: Inside/private IP address of the FTP server
Destination Port: “20,21”
Sequence Number: Check the box and enter “25” - Name: “Secure FTP Server”
Type: Deny
Protocol: All
Direction: From Internet
Source Address: “0.0.0.0/0”
Destination Address: Inside/private IP address of the FTP server
Sequence Number: Check the box and enter “26”
- Name: “FTP Server” (or enter a name that makes sense to you)
In both cases, you also need a rule allowing the FTP server to connect out to any IP on any port:
- Name: “Allow FTP Server Out”
Type: Allow
Protocol: TCP
Direction: From Inside
Source Address: Inside/private IP address of the FTP server
Source Port: Leave blank
Destination Address: “0.0.0.0/0”
Destination Port: Leave Blank
Once you do these steps, Commit Changes, and Restart, your FTP server should be accessible from the Internet.
