Description

This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.

45 How do I make FTP work through my firewall?

Generally, making FTP work through the firewall is done either using a
proxy server such as the firewall toolkit's ftp-gw or by permitting incoming
connections to the network at a restricted port range, and otherwise
restricting incoming connections using something like ``established''
screening rules. The FTP client is then modified to bind the data port to a
port within that range. This entails being able to modify the FTP client
application on internal hosts.

In some cases, if FTP downloads are all you wish to support, you might want
to consider declaring FTP a ``dead protocol'' and letting you users download
files via the Web instead. The user interface certainly is nicer, and it
gets around the ugly callback port problem. If you choose the FTP-via-Web
approach, your users will be unable to FTP files out, which, depending on
what you are trying to accomplish, may be a problem.

A different approach is to use the FTP ``PASV'' option to indicate that the
remote FTP server should permit the client to initiate connections. The PASV
approach assumes that the FTP server on the remote system supports that
operation. (See ``Firewall-Friendly FTP'' [1].)

Other sites prefer to build client versions of the FTP program that are
linked against a SOCKS library.

Continue to:

• prev: 44 How do I make DNS work with a firewall?
• Index
• next: 46 How do I make Telnet work through my firewall?