Skip to main content
A
Anonymous_User
Contributor
January 9, 2007
Question

Passive FTP & port forwarding

  • January 9, 2007
  • 6 replies
  • 13165 views
Hi, I have a ftp, dns, mail and a web server (different machines) behind fortigate 60 fortios 3 mr2. I have only one public IP address so I must use VIP port forwarding. Web server, mail server, dns and active ftp works with VIP. Simply ; Port 80 -> web server ip Port 25 -> mail server ip Port 53 -> dns ip Port 21 -> ftp ip Also there are firewall policies external -> web VIP (nat is not checked) external -> mail VIP (nat is not checeked) external -> dns VIP (nat is not checked) external -> ftp VIP (nat is not checked) Nat is not checeked because in server logs I can see which " real" IP' s were connected to my servers. If I check nat it also works but I can only see my fortigate is connecting to my servers. But there is an exception fortigate translating address and port for ftp anyway. This doesn' t disturb active ftp sessions because server connects to client. To employ passive connections I firstly make the ftp server to use defined passive ports (let' s say 5000-5050). Then I add a VIP to fortigate: port 5000-5050 -> ftp server (5000-5050) and a firewall policy external -> passive ftp (nat is not checked) and the result is " it doesn' t work" :) The problem is client enters pasv and the server replies with port to connect but fortigate translates it. For example: The server replies port 5012. Fortigate translates it to 10321. Client tries to connect 10321 but there is no VIP with port forwarding on this port. VIP is between the ports 5000-5050. Any suggestions to make passive connection work? Thanks in advance. Batuhan Kisacikoglu

    6 replies

    rwpatterson
    rwpatterson
    New Member
    January 9, 2007
    Try checking the ' Fixed Port' option in the policy.
    A
    Anonymous_UserAuthor
    Contributor
    January 9, 2007
    I have tried " fixed port" before, nothing changed. The main problem is translation is not changing packet headers. The ftp log shows external addresses connecting server. The problem is fortigate changes reply of the server on the fly. > PASV (sent by client) < 227 Entering Passive Mode (80,xx,xx,xx,213,152) (sent by server) The 227 message indicates that I can connect to port (213*256+152=)54680. When I recieve this message I also netstat' ed on ftp server. The server is waiting connection on port 5020 as I configured. So the reply is changed. Fixed port is not working because there is no translation, client tries to connect totally wrong port. Why fortigate changing the reply? Is it a bug or intentially made for other functionality that i didn' t consider. In active ftp session " port" is send by client and fortigate doesn' t change the port when passing it to server. Within same subnet passive mode works without problem so there is no configuration error on server.
    A
    Anonymous_UserAuthor
    Contributor
    January 12, 2007
    Hi, the Fortigate " ftp-protocol-helper" does that rewrite (so you don' t have to add a range & policy for passive transfers). This does work with Virtual IPs, I haven' t tried port forwarding though. Perhaps you should remove the port forwarding, as you already use a VIP for the passive range. You then could remove the policy for the passive port-range (and add one for FTP). But: you' ll need that passive port range for encrypted transfers, because the protocol helper won' t work in that case. HTH, Manuel Martin
    A
    Anonymous_UserAuthor
    Contributor
    January 19, 2007
    Yes it' s clever :) But as said before The problem is I must use port forwading because I have one IP and 4 servers. Result is I must register 3 more ip' s or live with active ftp :) Thanks for all replies
    A
    Anonymous_UserAuthor
    Contributor
    February 21, 2007
    I had the same problem, but with the hint " ftp-protocol-helper" from the posting above I was able to solve my problem :) I remapped the FTP port for the session helper to another one, so that it doesn' t remap my passiv ftp transfer anymore ;) on the CLI type " config system session-helper" next type show and locate your ftp helper, in my case it was number 8, so I typed " edit 8" as next. now change the port that the service helper scans for the ftp protocol to something different - type " set port 31" when you' re sure you don' t need port 31 for anything else. In my case its working perfectly and I hope this mod hasn' t any side effects. Roland
    A
    Anonymous_UserAuthor
    Contributor
    February 22, 2007
    Oh perfect solution....I must confess that I didn' t even think to change " ftp-protocol-helper" configuration because I was thinking that there was no configuration for session helper :). Anyway I will follow your solution also. Thanks...
    A
    Anonymous_UserAuthor
    Contributor
    March 13, 2007
    It has one side effect. If you have not only servers but users behind fortigate, they can not connect to ftp sites with active connection since session helper really helps active connections. No side effect for passive connection. But I let users to use high port ranges. Maybe with a strict port policy that allows to use only custom ports there can be also a problem.
    Terms & ConditionsAccessibility statement