FTP ALG
File Transfer Protocol is a widely and commonly used method of exchanging files over IP networks. The FTP ALG monitors PORT, PASV, and 227 commands. It performs NAT on the IP, port, or both in the message and gate opening on the device as necessary.
FTP ALG Overview
The File Transfer Protocol (FTP) is a widely and commonly used method of exchanging files over IP networks. In addition to the main control connection, data connections are also made for any data transfer between the client and the server; and the host, port, and direction are negotiated through the control channel.
For active mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects.
FTP represents the addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets.
The FTP ALG supports the following:
Automatically allocates data ports and firewall permissions for dynamic data connection
Monitors the control connection in both active and passive modes
Rewrites the control packets with the appropriate NAT address and port information
Network Address Translation, Protocol Translation (NAT-PT)
Transport Layer Security (TLS) as the security mechanism
IPv6 FTP ALG for Routing
The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.
EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.
In Junos OS Release 10.4, EPRT/EPSV/229 commands have been updated to support both IPv4 and IPv6 addresses.
FTP ALG uses preallocated objcache to store its session cookies. When both IPv4 and IPv6 addresses are supported on FTP ALG, the session cookie structure will enlarge by 256 bits (32 bytes) to store IPv6 address.
FTP ALG Support for IPv6
The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing, IPv6 routing, and NAT mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes..
Understanding FTP Commands
The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing and NAT mode, and IPv6 routing mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes.
PORT Command
The PORT command is used in active FTP mode. The PORT command specifies the address and the port number to which a server should connect. When you use this command, the argument is a concatenation of a 32-bit Internet host address and a 16-bit TCP port address. The address information is broken into 8-bit fields, and the value of each field is transmitted as a decimal number (in character string representation). The fields are separated by commas.
The following is a sample PORT command, where h1 is the highest order 8-bit of the Internet host address:
PORT h1,h2,h3,h4,p1,p2
PASV Command
The PASV command requests a server to listen on a data port that is not the default data port of the server and to wait for a connection, rather than initiating another connection. The response to the PASV command includes the host and port address the server is listening on.
Extended FTP Commands
Extended FTP commands provide a method by which FTP can communicate the data connection endpoint information for network protocols other than IPv4. Extended FTP commands are specified in RFC 2428. In RFC 2428, the extended FTP commands EPRT and EPSV, replace the FTP commands PORT and PASV, respectively.
EPRT Command
The EPRT command allows for the specification of an extended address for the data connection. The extended address must consist of the network protocol as well as the network and transport addresses.
The format of EPRT is:
EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>
Parameter |
Description |
|---|---|
net-prt |
An address family number defined by IANA. |
net-addr |
A protocol-specific string of the network address. |
tcp-port |
A TCP port number on which the host is listening for data connection. |
Delimiter |
The delimiter character must be one of the ASCII characters in range 33 to 126 inclusive. The character "|" (ASCII 124) is recommended. |
The following command shows how to specify the server to use an IPv4 address to open a data connection to host 132.235.1.2 on TCP port 6275:
EPRT |1|132.235.1.2|6275|
The following command shows how to specify the server to use an IPv6 network protocol and a network address to open a TCP data connection on port 5282:
EPRT |2|1080::8:800:200C:417A|5282|
In this mode, FTP ALG focuses only on the EPRT command; it extracts the IPv6 address and port from the EPRT command and opens the pinhole.
EPSV mode
The EPSV command requests that a server listen on a data port and wait for a connection. The response to this command includes only the TCP port number of the listening connection.
An example response string is as follows:
Entering Extended Passive Mode (|||6446|)
The response code for entering passive mode using an extended address must be 229. You should extract the TCP port in 229 payloads and use it to open the pinhole.
Example: Configuring the FTP ALG
This example shows how to configure the NAT-PT for FTP ALG.
Requirements
Before you begin:
Configure proxy ARP for all IP addresses in the source NAT pool.
Understand the concepts behind ALG for FTP. See FTP ALG Overview.
Overview
In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.
This example shows how to configure the NAT-PT for FTP ALG.
Configuration
Configuring a NAT Source Pool, NAT Static Pool and Rule Set
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security nat static rule-set rs1 from zone untrust set security nat source rule-set rs-source to zone trust set security nat source rule-set rs-source rule src-nat match source-address 3333::130/128 set security nat source rule-set rs-source rule src-nat match destination-address 40.0.0.211/32 set security nat source rule-set rs-source rule src-nat then source-nat interface set security nat static rule-set rs2 from zone untrust set security nat static rule-set rs2 rule r2 match destination-address 4444::141/128 set security nat static rule-set rs2 rule r2 then static-nat prefix 40.0.0.211/32
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a source NAT pool:
Create a source NAT, static NAT, and interface NAT rule set.
[edit ] user@host# set security nat source rule-set rs-source from zone untrust user@host# set security nat source rule-set rs-source to zone trust user@host# set security nat source rule-set rs-source rule src-nat match source-address 3333::130/128 user@host# set security nat source rule-set rs-source rule src-nat match destination-address 40.0.0.211/32 user@host# set security nat source rule-set rs-source rule src-nat then source-nat interface user@host# set security nat static rule-set rs2 from zone untrust user@host# set security nat static rule-set rs2 rule r2 match destination-address 4444::141/128 user@host# set security nat static rule-set rs2 rule r2 then static-nat prefix 40.0.0.211/32
Associate the NAT-PT application using a policy.
[edit] user@host# set security policies from-zone trust to-zone untrust policy ftp-basic match source-address any user@host# set security policies from-zone trust to-zone untrust policy ftp-basic match destination-address any user@host# set security policies from-zone trust to-zone untrust policy ftp-basic match application junos-ftp user@host# set security policies from-zone trust to-zone untrust policy ftp-basic then permit
Results
From configuration mode, confirm your configuration
by entering the show security nat command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
user@host# show security nat
static {
rule-set rs2 {
from zone untrust;
rule r2 {
match {
destination-address 4444::141/128;
}
then {
static-nat {
prefix {
40.0.0.211/32
}
}
}
}
}
}
[edit]
user@host# show security policies
from-zone untrust to-zone trust {
policy ftp-basic {
match {
source-address any;
destination-address any;
application [ junos-ping junos-mgcp junos-ftp junos-rsh junos-h323 ];
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the NAT Source Pool, NAT Static Pool Rule Set
Purpose
Verify that the NAT source pool and rule set used to support the FTP ALG are working properly.
Action
From operational mode, enter the show configuration
security nat command.
Verifying FTP ALGs
Purpose
Verify that FTP ALG is enabled.
Action
From the operational mode, enter the show security
alg status command.
user@host> show security alg status FTP : Enabled
Meaning
The output shows the FTP ALG status as follows:
Enabled—Shows the FTP ALG is enabled.
Disabled—Shows the FTP ALG is disabled.
The FTP ALG is enabled by default.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.