The FTP proxy is available only as a transparent proxy in the zones that have been enabled and allows for scanning the files downloaded via FTP to search for viruses. The Endian UTM Appliance employs frox as FTP proxy.
Note
Only connections to the standard FTP port (21) are redirected to the proxy. This means that if a client is configured to use the HTTP proxy also for the FTP protocol, settings for the FTP proxy will be bypassed.
A few options can be configured in this page:
Enable the FTP proxy on each zone. Only available on the activated zones.
Log the outgoing connections in the firewall.
Allow the clients written in the textarea below to directly access remote sites, without passing through the FTP proxy. IP addresses, subnets, and MAC addresses can be provided, one per line.
Allow the client to access directly the remote sites written in the textarea below, without passing through the FTP proxy. IP addresses and subnets can be provided, one per line.
FTP proxy and FTP client’s active and passive mode.
The Endian UTM Appliance supports transparent FTP proxying with frox if and only if it is directly connected to the Internet.
Problems may also arise when the FTP transparent proxy is enabled and there is a NAT device between the Endian UTM Appliance and the Internet. In this setup, any FTP connection to a remote FTP site will be blocked until it times out, and in the logs will appear messages like
Mon Mar 2 11:32:02 2009 frox[18450] Connection timed out when trying to connect to 192.168.1.2 Mon Mar 2 11:32:02 2009 frox[18450] Failed to contact client data port
In this example, 192.168.1.2 is the IP address of the client trying to access a remote FTP site.
To overcome this problems, the ftp client should be configured to use passive mode (PASV) as transfer mode, and a rule under
must be created, that allow the traffic on ports 50000 to 50999 for the NAT-ed client. For security reasons, though, these ports should be enabled only if necessary. To understand the motivation of this setup, here is the description in more details of how active and passive modes work and how they interact with the FTP proxy.The active mode requires that the server (which in this case is the FTP proxy) initiate the data connection to the client. However, a NAT device between the clients and the proxy causes the connection from the server to never reach the client. For this reason the client must use the passive mode.
With passive mode, the ftp client is required to initiate the connection to the server (again, the FTP proxy) using a dynamic port, which has been negotiated through the control connection. The ftp proxy listens to that port, but the system access firewall needs to allow traffic to that port.
Since multiple concurrent data connections can try to access the ftp proxy, it is necessary to allow connections for a whole port range, Therefore all the ports reserved for passive data connections (i.e., 50000-50999) need to be allowed by the system access firewall.