You can set up an FTP filter on your server's public interface to filter FTP packets in the inbound or outbound direction. An inbound FTP filter might be required if public users connect to an FTP server in your private network. An outbound FTP filter might be required to allow certain users to bypass proxy services and connect directly to FTP servers on the public network.
When you set up an FTP filter, you can configure it to inspect for active FTP connections, passive FTP connections, or both. For tighter security, some administrators only allow active FTP connections in the inbound direction so the data connection is always on port 20. In contrast, passive FTP connections use any dynamic ports that are available.
This section contains the following tasks:
To set up a stateful FTP filter exception,
Select Configure TCP/IP Filters > Packet Forwarding Filters > Exceptions.
Press Ins to define a new exception.
If you are creating an inbound exception, do the following:
Specify All Interfaces for the Source Interface parameter.
Specify the server's public interface for the Destination Interface parameter.
Press Enter for Packet Type > select ftp-port-pasv-st.
NOTE: The packet type ftp-port-pasv-st allows both active and passive FTP connections. To allow active FTP connections only, select ftp-port-st. To allow passive FTP connections only, select ftp-pasv-st.
If you want the server to forward FTP packets from certain public hosts only, specify Host or Network for the Src Addr Type parameter > enter the IP address for the Src IP Address parameter; otherwise, leave the setting for Src Addr Type as Any Address.
If you want the server to forward FTP packets addressed to certain private hosts only, specify Host or Network for the Dest Addr Type parameter > enter the IP address for the Dest IP Address parameter; otherwise, leave the setting for Dest Addr Type as Any Address.
Press Esc > select Yes to save the filter.
If you are creating an outbound exception, do the following:
Specify the server's private interface for the Source Interface parameter.
Specify the server's public interface for the Destination Interface parameter.
Press Enter for Packet Type > select ftp-port-pasv-st.
NOTE: The packet type ftp-port-pasv-st allows both active and passive FTP connections. To allow active FTP connections only, select ftp-port-st. To allow passive FTP connections only, select ftp-pasv-st.
If you want the server to forward FTP packets from certain private hosts only, specify Host or Network for the Src Addr Type parameter and enter the IP address for the Src IP Address parameter; otherwise, leave the setting for Src Addr Type as Any Address.
If you want the server to forward FTP packets addressed to certain public hosts only, specify Host or Network for the Dest Addr Type parameter > enter the IP address for the Dest IP Address parameter; otherwise, leave the setting for Dest Addr Type as Any Address.
Press Esc and select Yes to save the filter.
IMPORTANT: The outbound stateful FTP filter does not allow packets for DNS name resolution to be forwarded to a DNS server on the public network. Users establishing an FTP connection to an FTP server must use the FTP server's IP address unless you set up a DNS filter.
If you do not want to configure a stateful FTP exception, you can create static filters instead.
To allow public hosts to establish active FTP connections to a server in the private network, configure the following inbound and outbound filter exceptions:
If you want to allow users in your private network to establish passive FTP connections to public servers, configure additional filter exceptions for dynamic/tcp in both directions so dynamic ports can be used as the data channel instead of port 20. Enable ACK bit filtering for the dynamic/tcp exceptions.
IMPORTANT: These filters do not allow users to establish FTP connections using the FTP server's DNS name. A DNS filter is required.