You can set up an FTP filter on your server's public interface to filter FTP packets in the inbound or outbound direction. An inbound FTP filter might be required if public users connect to an FTP server in your private network. An outbound FTP filter might be required to allow certain users to bypass proxy services and connect directly to FTP servers on the public network.
When you set up an FTP filter, you can configure it to inspect for active FTP connections, passive FTP connections, or both. For tighter security, some administrators allow only active FTP connections in the inbound direction so the data connection is always on port 20. In contrast, passive FTP connections use any dynamic ports that are available.
This section contains the following tasks:
Select Configure TCP/IP Filters, click Packet Forwarding Filters, then click Exceptions.
Press Ins to define a new exception.
If you are creating an inbound exception, complete the following:
Specify All Interfaces for the Source Interface parameter.
Specify the server's public interface for the Destination Interface parameter.
Press Enter for Packet Type, then select ftp-port-pasv-st.
The packet type ftp-port-pasv-st allows both active and passive FTP connections. To allow active FTP connections only, select ftp-port-st. To allow passive FTP connections only, select ftp-pasv-st.
If you want the server to forward FTP packets from certain public hosts only, specify Host or Network for the Src Addr Type parameter, then specify the IP address for the Src IP Address parameter; otherwise, leave the setting for Src Addr Type as Any Address.
If you want the server to forward FTP packets addressed to certain private hosts only, specify Host or Network for the Dest Addr Type parameter, then specify the IP address for the Dest IP Address parameter; otherwise, leave the setting for Dest Addr Type as Any Address.
Press Esc, then select Yes to save the filter.
If you are creating an outbound exception:
Specify the server's private interface for the Source Interface parameter.
Specify the server's public interface for the Destination Interface parameter.
Press Enter for Packet Type, then select ftp-port-pasv-st.
The packet type ftp-port-pasv-st allows both active and passive FTP connections. To allow active FTP connections only, select ftp-port-st. To allow passive FTP connections only, select ftp-pasv-st.
If you want the server to forward FTP packets from certain private hosts only, specify Host or Network for the Src Addr Type parameter and specify the IP address for the Src IP Address parameter; otherwise, leave the setting for Src Addr Type as Any Address.
If you want the server to forward FTP packets addressed to certain public hosts only, specify Host or Network for the Dest Addr Type parameter, then specify the IP address for the Dest IP Address parameter; otherwise, leave the setting for Dest Addr Type as Any Address.
Press Esc, then select Yes to save the filter.
IMPORTANT: The outbound stateful FTP filter does not allow packets for DNS name resolution to be forwarded to a DNS server on the public network. Users establishing an FTP connection to an FTP server must use the FTP server's IP address unless you set up a DNS filter.
If you do not want to configure a stateful FTP exception, you can create static filters instead.
To allow public hosts to establish active FTP connections to a server in the private network, configure the following inbound and outbound filter exceptions:
If you want to allow users in your private network to establish passive FTP connections to public servers, configure additional filter exceptions for dynamic/tcp in both directions so that dynamic ports can be used as the data channel instead of port 20. Enable ACK bit filtering for the dynamic/tcp exceptions.
IMPORTANT: These filters do not allow users to establish FTP connections using the FTP server's DNS name. A DNS filter is required.