Firewall-Friendly FTP (RFC1579)
Original Publication Date: 1994-Feb-01
Included in the Prior Art Database: 2019-Feb-13
Internet Society Requests For Comment (RFCs)
This memo describes a suggested change to the behavior of FTP client programs. This document provides information for the Internet community. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.
Network Working Group S. Bellovin Request for Comments: 1579 AT&T Bell Laboratories Category: Informational February 1994
Status of this Memo
This document provides information for the Internet community. This document does not specify an Internet standard of any kind. Distribution of this document is unlimited.
This memo describes a suggested change to the behavior of FTP client programs. No protocol modifications are required, though we outline some that might be useful.
Overview and Rational
The FTP protocol  uses a secondary TCP connection for actual transmission of files. By default, this connection is set up by an active open from the FTP server to the FTP client. However, this scheme does not work well with packet filter-based firewalls, which in general cannot permit incoming calls to random port numbers.
If, on the other hand, clients use the PASV command, the data channel will be an outgoing call through the firewall. Such calls are more easily handled, and present fewer problems.
The Gory Details
The FTP specification says that by default, all data transfers should be over a single connection. An active open is done by the server, from its port 20 to the same port on the client machine as was used for the control connection. The client does a passive open.
For better or worse, most current FTP clients do not behave that way. A new connection is used for each transfer; to avoid running afoul of TCP’s TIMEWAIT state, the client picks a new port number each time and sends a PORT command announcing that to the server.
Neither scenario is firewall-friendly. If a packet filter is used (as, for example, provided by most modern routers), the data channel requests appear as incoming calls to unknown ports. Most firewalls are constructed to allow incoming calls only to certain believed-to- be-safe ports, such as SMTP. The usual compromise is to block only
Bellovin [Page 1]
RFC 1579 Firewall-Friendly FTP February 1994
the "server" area, i.e., port numbers below 1024. But that strategy is risky; dangerous services such as X Windows live at higher- numbered ports.
Outgoing calls, on the other hand, present fewer problems, either for the firewall administrator or for the packet filter. Any TCP packet with the ACK bit set cannot be the packet used to initiate a TCP connection; filters can be configured to pass such packets in the outbound direction only. We thus want to change the behavior of FTP so that the data channel is implemented as a call from the client to the server.
Fortunately, the necessary mechanisms already exist in the protocol. If the client sends a PASV command, the server will do a passive TCP open on some random port, and inform the client of the port number. The client can then do an active open to establish the connection.
There are a few FTP servers in existence that do not honor the PASV command. While this is unfortunate (and in violation of STD 3, RFC 1123 ), it does not pose a problem...