PASV behind NAT

Question

Dear support,

Am using edtFTPD as ftp server in our company, behind a firewall, and is
publishing the ftp site out through the NAT firewall. It all works nicely!
BUT, when switching to FTPS, things go wrong at the same point every
time. The auth handshake on port 21 is working fine, and then the PASV
command is issued, and right here, it is very visibly, that the PASV
command will always fail in a NAT environment.
In FTP mode the PASV command tries to set up the datachannel on the correct IP-address which is the PUBLIC address, and it works, but in FTPS mode the PASV command tries to use the private local IP behind the firewall, and then of course just times out, as there is no way to connect directly with an inside address. I have tried every combination given in the advice about using only one port, and the NAT firewall always work
on the commands but not on the datachannel, even if it is the same
port!
Would very much like if this could be fixed somehow, so I could use the datachannel to do FTPS. I must mention that I have no problems with FTPS when not going through NAT.
Is there a way to configure a solution to the FTPS PASV-NAT problem,
or is it simply my firewall that can not handle PASV on the datachannel?

Mic

Answer 1

[NOTE ADDED March 2007]

Please refer to http://www.enterprisedt.com/products/edtftpjssl/doc/manual/html/howtoftpthroughafilewall.html for an in-depth explanation of this problem.


[ORIGINAL POST FOLLOWS]

Hi Mic

The reason why it works in non-SSL mode is that your firewall actually intercepts the PASV command and temporarily configures the firewall to (1) open a port in the firewall for connections from the FTP client and (2) channel the incoming connection through to your server. It can't do this in SSL mode since the PASV command is encrypted. You can read more about this at http://www.allaboutjake.com/network/linksys/ftp.html.

For a possible solution to your problem look here: http://www.indyproject.org/KB/ftpsslbehindnat.htm.

Hope that helps.

- Hans (EDT Support)

Answer 2

Thnx support.

Got closer to a solution. Found this in the Indy project KB.
This is on the serverside:
"If you must use a FTP server using SSL behind a NAT, you should do the following:
1. Configure your NAT to forward a range ports to your server.
2. Specify that port range with PASVBoundPortMin and BoundPortMax properties.
3. Set the IP address given in PASV replies to your NAT's external Internet IP address using the OnPASVReply event but do not change the IP address for clients that are also on the internal network. "

Am I right to conclude that 1 and 2 can be done now, as it is?
I guess that you have implemented 2 as the passive... n n command?
But what about 3 - that is exactly what I want to try! How is the
OnPASVReply event implemented? And how can I configure the
PASV reply to be my firewalls external interface?
Very interested to make this work :)

Mic

Answer 3

Hi

Got closer to a solution. Found this in the Indy project KB.
This is on the serverside:
"If you must use a FTP server using SSL behind a NAT, you should do the following:
1. Configure your NAT to forward a range ports to your server.
2. Specify that port range with PASVBoundPortMin and BoundPortMax properties.

Those configuration settings are only valid for the Indy system. For edtFTPD you'd need to use the PassivePorts setting (see here).

3. Set the IP address given in PASV replies to your NAT's external Internet IP address using the OnPASVReply event but do not change the IP address for clients that are also on the internal network. "

Am I right to conclude that 1 and 2 can be done now, as it is?
I guess that you have implemented 2 as the passive... n n command?
But what about 3 - that is exactly what I want to try! How is the
OnPASVReply event implemented? And how can I configure the
PASV reply to be my firewalls external interface?
Very interested to make this work :)

Mic

Yes, you can do this with edtFTPD. I think Odeon did what you're trying in this posting.

Just so that you know. edtFTPD is based on ProFTPD so you can use the ProFTPD configuration settings described in http://www.proftpd.org/docs/. As it says in my reply to Odeon's, make sure edtFTPD Manager is not running when you edit the etc/default.conf file.

- Hans (EDT Support)

Answer 4

Hi Support,

Just want to thank you for the links. Found out that
the docs for ProFTPD is the key to make it work.
The directives MasqeradeAddress and VirtualHost
makes all the difference in the world!
Am now doing FTPS over two firewalls with no problem.
My testing have indicated that it is not the nat/firewall
that determines if it can succeed, it is only the configuration
of the edtFTPD server that must be right, and assuming of
course one knows his router cold. javascript:emoticon(':P')
Razz

Mic