SSL FTP through the firewall using FileZilla
SSL FTP through the firewall using FileZilla
I've confirmed that the firewall is the issue here. I can make the SSL FTP connection, but when FileZilla tries to do a directory listing, it's blocked because that (random) port isn't open. When I try the connection behind the firewall, everything's hunky dory.
Has anyone else experienced this, and if you did, were you able to get past it?
******************************************************************************
Normally, FTP control connection is on port 21. Though, there's another port that's sometimes used for SSL FTP. (but, not always!)
In active FTP, the "origin" (or "source") port number for data connections should always be 20 -- so if that's allowed through your firewall, you should be okay.
Unfortunately, many people will read my previous statement and assume that I mean something different from what I just said. Whenever you make a TCP connection (regardless of what application protocol you're using) there's always TWO ports involved. There's the origin port (the port used by the program that's originating the connection) and the destination port (the port that it's connecting to.)
Normally, we don't give much thought to the origin port. Usually, the firewalls are configured according to the destination port. That would be port 21 for FTP control channel, port 23 for telnet, port 80 for HTTP, etc. These are the well-known port numbers. Normally the origin port is selected by the operating system at random, and it's not used, certainly never used in a firewall configuration.
However, FTP is one exception. FTP's data channels, when in ACTIVE mode, will always have an ORIGIN of 20, and use a random port for the destiantion. That's backwards of the way everything else works! But, you SHOULD be able to configure your firewall so that anything that's going FROM port 20 on the Internet, to a random port on your network is allowed. (As opposed to the normal circumstance of FROM a random port on your network TO a fixed port on the Internet )
Unfortunately, I only know for sure that plain-text FTP works that way, I don't know for sure that SSL FTP works that way, but I would assume so. (You should be able to tell by looking at the connection statuses)
The more common alternative (which I already suggested) is to allow ALL outgoing connections from your network, but only block incoming ones. In that scenario, passive mode will work just fine.
Note that if you're using NAT, the passive mode solution will work, but the active mode (port 20) solution WON'T because NAT will re-map the IP addresses and ports, which will confuse FTP. A good NAT implementation will sniff the packets looking for the port number being sent, and will change it in the TCP packets as well, but this doesn't work with SSL because of the encryption.
So if you're using NAT, you'll want to use passive mode, and allow all outgoing connections from your firewall.
I guess the final alternative is to figure out the range of ephemeral ports that IBM uses in their FTP software, and open them all through your firewall. I know that FreeBSD (a free variant of Unix, much like Linux) lets you control what the ephemeral port range is -- but as far as I know, IBM doesn't let you control that in i5/OS, nor do they tell you what the range is. So that's hard to work with.
This is one reason why so many people use SSH or HTTP instead of FTP/SSL for sending secure documents. This port number business really messes up firewalls.
******************************************************************************
You might also be interested in the following APAR from IBM:
Abstract
FTP Clear Command Channel
Error Description
With the support of FTP using SSL/TLS, a NAT firewall can no
longer look at/change the information passed on an FTP control
connection.
Problem Summary
With the support of FTP using SSL/TLS, a NAT firewall can no
longer look at/change the information passed on an FTP control
connection.
Problem Conclusion
FTP client subcommand CCC
FTP supports two kinds of transmission modes: the clear text
mode and the encrypted mode. If you use the clear text mode in
an FTP control connection, you take the risk of exposing your
sensitive information to an intruder. If you use the encrypted
mode, the firewall is not able to monitor or change the
information sent within the FTP control connection. Thus the
firewall cannot perform some functions such as network address
translation.
The Clear Command Channel (CCC) subcommand changes the
transmission mode in a control connection from the encrypted
mode to the clear text mode. Thus, you can secure sensitive
information including your user name and password by sending
them in the encrypted mode in the control connection. Then you
can use the CCC subcommand to change to clear text mode to
send the port and IP information.
Note: After using the CCC subcommand, you will send all your
information in the clear text mode in the control connection.
If the names of files or directories on your system contain
sensitive information, be aware that any names sent on the
control connection after running the CCC subcommand are not
protected. However, the data connection transmission mode
remains intact and the data transfer that happens afterward is
still secure.
Customers can either allow or disallow an individual user to use
CCC by granting the private authority to
QIBM_QTMF_CLIENT_REQ_10
via the CHGFCNUSG command or via iSeries Navigator Application
Administration support.
For example:
CHGFCNUSG FCNID(QIBM_QTMF_CLIENT_10) USER(user) USAGE(*ALLOWED)
FTP Server Subcommand CCC
When FTP server receives a Clear Command Channel (CCC)
subcommand,
it first checks whether or not the current user has the
authority
to perform the CCC command. If the user has the authority, it
then
accepts the command by sending a confirm message back to the FTP
client
side, then the FTP server changes the transmission mode in a
control
connection from the encrypted mode to the clear text mode.
The Clear Command Channel (CCC) subcommand changes the
transmission mode
in a control connection from the encrypted mode to the clear
text mode.
Thus, you can secure sensitive information including your user
name and
password by sending them in the encrypted mode in the control
connection.
Then you can use the CCC subcommand to change to the clear text
mode and
send the port and IP information.
Security Concerns:
Note that there are potential security/integrity exposures with
using the CCC approach as compared to full encryption of the
control
connection.
First, this results in file and directory names on the FTP
server to be subject to interception. It is possible that such
names
themselves could contain sensitive or confidential information.
Second, IP address/port information transferred on the control
connection is subject to interception by hackers.
Finally, some other "direct" TCP attacks on an FTP server, or
using an FTP server to attack other systems, are completely
eliminated when a secure control connection
is used. Some of those are now again possible when the
control connection
reverts to "clear" mode.
Because of these concerns, usage of the CCC subcommand is
controlled using the i5/OS Function Usage interface, and the
default setting for
CCC is *DENIED for the FTP server.
To allow an individual user logged into the FTP server to use
the CCC subcommand for ending protection of the control
connection, give *ALLOWED
usage to the QIBM_QTMF_SERVER_REQ_10 function via the CHGFCNUSG
command or
iSeries Navigator Application Administration support. For
example:
CHGFCNUSG FCNID(QIBM_QTMF_SERVER_REQ_10) USER(user)
USAGE(*ALLOWED)
To allow all users to perform this function, change the default
authority of this function to *ALLOWED.
RFC 4217 Securing FTP with TLS, talks about Clear Command
Channel.
It discusses the CCC FTP Command that can be used to disable encryption so that NAT can see the port numbers and adjust them accordingly. (With the obvious drawback that encryption has been turned off, and therefore the filenames and stuff like that are visible unencrypted).
It provides a PTF for V5R4 that enables this CCC command -- which isn't available in i5/OS, otherwise.
(Though, since you're using FileZilla, you might look to see if FileZilla already supports CCC)
Reply With Quote
I've confirmed that the firewall is the issue here. I can make the SSL FTP connection, but when FileZilla tries to do a directory listing, it's blocked because that (random) port isn't open. When I try the connection behind the firewall, everything's hunky dory.
Has anyone else experienced this, and if you did, were you able to get past it?
******************************************************************************
Normally, FTP control connection is on port 21. Though, there's another port that's sometimes used for SSL FTP. (but, not always!)
In active FTP, the "origin" (or "source") port number for data connections should always be 20 -- so if that's allowed through your firewall, you should be okay.
Unfortunately, many people will read my previous statement and assume that I mean something different from what I just said. Whenever you make a TCP connection (regardless of what application protocol you're using) there's always TWO ports involved. There's the origin port (the port used by the program that's originating the connection) and the destination port (the port that it's connecting to.)
Normally, we don't give much thought to the origin port. Usually, the firewalls are configured according to the destination port. That would be port 21 for FTP control channel, port 23 for telnet, port 80 for HTTP, etc. These are the well-known port numbers. Normally the origin port is selected by the operating system at random, and it's not used, certainly never used in a firewall configuration.
However, FTP is one exception. FTP's data channels, when in ACTIVE mode, will always have an ORIGIN of 20, and use a random port for the destiantion. That's backwards of the way everything else works! But, you SHOULD be able to configure your firewall so that anything that's going FROM port 20 on the Internet, to a random port on your network is allowed. (As opposed to the normal circumstance of FROM a random port on your network TO a fixed port on the Internet )
Unfortunately, I only know for sure that plain-text FTP works that way, I don't know for sure that SSL FTP works that way, but I would assume so. (You should be able to tell by looking at the connection statuses)
The more common alternative (which I already suggested) is to allow ALL outgoing connections from your network, but only block incoming ones. In that scenario, passive mode will work just fine.
Note that if you're using NAT, the passive mode solution will work, but the active mode (port 20) solution WON'T because NAT will re-map the IP addresses and ports, which will confuse FTP. A good NAT implementation will sniff the packets looking for the port number being sent, and will change it in the TCP packets as well, but this doesn't work with SSL because of the encryption.
So if you're using NAT, you'll want to use passive mode, and allow all outgoing connections from your firewall.
I guess the final alternative is to figure out the range of ephemeral ports that IBM uses in their FTP software, and open them all through your firewall. I know that FreeBSD (a free variant of Unix, much like Linux) lets you control what the ephemeral port range is -- but as far as I know, IBM doesn't let you control that in i5/OS, nor do they tell you what the range is. So that's hard to work with.
This is one reason why so many people use SSH or HTTP instead of FTP/SSL for sending secure documents. This port number business really messes up firewalls.
******************************************************************************
You might also be interested in the following APAR from IBM:
Abstract
FTP Clear Command Channel
Error Description
With the support of FTP using SSL/TLS, a NAT firewall can no
longer look at/change the information passed on an FTP control
connection.
Problem Summary
With the support of FTP using SSL/TLS, a NAT firewall can no
longer look at/change the information passed on an FTP control
connection.
Problem Conclusion
FTP client subcommand CCC
FTP supports two kinds of transmission modes: the clear text
mode and the encrypted mode. If you use the clear text mode in
an FTP control connection, you take the risk of exposing your
sensitive information to an intruder. If you use the encrypted
mode, the firewall is not able to monitor or change the
information sent within the FTP control connection. Thus the
firewall cannot perform some functions such as network address
translation.
The Clear Command Channel (CCC) subcommand changes the
transmission mode in a control connection from the encrypted
mode to the clear text mode. Thus, you can secure sensitive
information including your user name and password by sending
them in the encrypted mode in the control connection. Then you
can use the CCC subcommand to change to clear text mode to
send the port and IP information.
Note: After using the CCC subcommand, you will send all your
information in the clear text mode in the control connection.
If the names of files or directories on your system contain
sensitive information, be aware that any names sent on the
control connection after running the CCC subcommand are not
protected. However, the data connection transmission mode
remains intact and the data transfer that happens afterward is
still secure.
Customers can either allow or disallow an individual user to use
CCC by granting the private authority to
QIBM_QTMF_CLIENT_REQ_10
via the CHGFCNUSG command or via iSeries Navigator Application
Administration support.
For example:
CHGFCNUSG FCNID(QIBM_QTMF_CLIENT_10) USER(user) USAGE(*ALLOWED)
FTP Server Subcommand CCC
When FTP server receives a Clear Command Channel (CCC)
subcommand,
it first checks whether or not the current user has the
authority
to perform the CCC command. If the user has the authority, it
then
accepts the command by sending a confirm message back to the FTP
client
side, then the FTP server changes the transmission mode in a
control
connection from the encrypted mode to the clear text mode.
The Clear Command Channel (CCC) subcommand changes the
transmission mode
in a control connection from the encrypted mode to the clear
text mode.
Thus, you can secure sensitive information including your user
name and
password by sending them in the encrypted mode in the control
connection.
Then you can use the CCC subcommand to change to the clear text
mode and
send the port and IP information.
Security Concerns:
Note that there are potential security/integrity exposures with
using the CCC approach as compared to full encryption of the
control
connection.
First, this results in file and directory names on the FTP
server to be subject to interception. It is possible that such
names
themselves could contain sensitive or confidential information.
Second, IP address/port information transferred on the control
connection is subject to interception by hackers.
Finally, some other "direct" TCP attacks on an FTP server, or
using an FTP server to attack other systems, are completely
eliminated when a secure control connection
is used. Some of those are now again possible when the
control connection
reverts to "clear" mode.
Because of these concerns, usage of the CCC subcommand is
controlled using the i5/OS Function Usage interface, and the
default setting for
CCC is *DENIED for the FTP server.
To allow an individual user logged into the FTP server to use
the CCC subcommand for ending protection of the control
connection, give *ALLOWED
usage to the QIBM_QTMF_SERVER_REQ_10 function via the CHGFCNUSG
command or
iSeries Navigator Application Administration support. For
example:
CHGFCNUSG FCNID(QIBM_QTMF_SERVER_REQ_10) USER(user)
USAGE(*ALLOWED)
To allow all users to perform this function, change the default
authority of this function to *ALLOWED.
RFC 4217 Securing FTP with TLS, talks about Clear Command
Channel.
It discusses the CCC FTP Command that can be used to disable encryption so that NAT can see the port numbers and adjust them accordingly. (With the obvious drawback that encryption has been turned off, and therefore the filenames and stuff like that are visible unencrypted).
It provides a PTF for V5R4 that enables this CCC command -- which isn't available in i5/OS, otherwise.
(Though, since you're using FileZilla, you might look to see if FileZilla already supports CCC)
Reply With Quote