Ftp; Ftp Connections - D-Link DFL-1600 User Manual

148 Chapter 18. Application Layer Gateway (ALG)
18.2

FTP

The File Transfer Protocol (FTP) is a TCP/IP-based protocol to exchange
files between a client and a server. The client initiates the connection by
connecting to the FTP server. Normally the client needs to authenticate
itself by providing a predefined login and password. After granting access,
the server will provide the client with a file/directory listing from which it
can download/upload files (depending on access rights). The FTP ALG is
used to manage FTP connections through the firewall.
18.2.1

FTP Connections

FTP uses two communication channels, one for control commands and one
for the actual files being transferred.
When an FTP session is opened, the FTP client establishes a TCP
connection (the control channel) to port 21 (by default) on the FTP server.
What happens after this point depends on the mode of FTP being used.
Modes
There are two modes, active and passive, describing the role of server in
respect to opening the data channels
In , the FTP client sends a command to the FTP server
indicating what IP address and port the server should connect to. The
FTP server establishes the data channel back to the FTP client using the
received address information.
In , the data channel is opened by the FTP client to the
FTP server, just like the command channel. This is the recommended
default mode for FTP clients, according to the "firewall-friendly FTP"
RFC.
Security Issues
Both modes of FTP operation present problems for firewalls. Consider a
scenario where an FTP client on the internal network connects through the
firewall to an FTP server on the Internet. The IP rule in the firewall is then
configured to allow network traffic from the FTP client to port 21 on the
FTP server.
D-Link Firewalls User's Guide