The FTP proxy is available only as a transparent proxy in the zones that have been enabled and allows for scanning the files downloaded via FTP to search for viruses. The Endian UTM Appliance employs frox as FTP proxy.
Only connections to the standard FTP port (21) are redirected to the proxy. This means that if a client is configured to use the HTTP proxy also for the FTP protocol, settings for the FTP proxy will be bypassed.
A few options can be configured in this page:
FTP proxy and FTP client’s active and passive mode.
The Endian UTM Appliance supports transparent FTP proxying with frox if and only if it is directly connected to the Internet.
Problems may also arise when the FTP transparent proxy is enabled and there is a NAT device between the Endian UTM Appliance and the Internet. In this setup, any FTP connection to a remote FTP site will be blocked until it times out, and in the logs will appear messages like:
Mon Mar 2 11:32:02 2009 frox Connection timed out when trying to connect to <your ftp client ip> Mon Mar 2 11:32:02 2009 frox Failed to contact client data port
To overcome this problems, the ftp client should be configured to use passive mode (PASV) as transfer mode, and a rule undermust be created, that allow the traffic on ports 50000 to 50999 for the NAT device. For security reasons, though, these ports should be enabled only if necessary. To understand the motivation of this setup, here is the description in more details of how active and passive modes work and how they interact with the FTP proxy.
The active mode requires that the server (in our case, the FTP proxy) initiate the data connection to the client. However, a NAT device between the clients and the proxy causes the connection from the server to never reach the client. For this reason the client must use the passive mode.
With passive mode, the ftp client is required to initiate the connection to the server (again, the FTP proxy) using a dynamic port, which has been negotiated through the control connection. The ftp proxy listens to that port, but the system access firewall needs to allow traffic to that port.
Since multiple concurrent data connections can try to access the the ftp proxy, it is necessary to allow connections for a whole port range, Therefore all the ports reserved for passive data connections (i.e., 50000-50999) need to be allowed by the system access firewall.