File Transfer Protocol is a widely and commonly used method of exchanging files over IP networks. The FTP ALG monitors PORT, PASV, and 227 commands. It performs NAT on the IP, port, or both in the message and gate opening on the device as necessary.
FTP ALG Overview
The File Transfer Protocol (FTP) is a widely and commonly used method of exchanging files over IP networks. In addition to the main control connection, data connections are also made for any data transfer between the client and the server; and the host, port, and direction are negotiated through the control channel.
For active mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects.
FTP represents the addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets.
The FTP ALG supports the following:
Automatically allocates data ports and firewall permissions for dynamic data connection
Monitors the control connection in both active and passive modes
Rewrites the control packets with the appropriate NAT address and port information
Network Address Translation, Protocol Translation (NAT-PT)
Transport Layer Security (TLS) as the security mechanism
IPv6 FTP ALG for Routing
The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.
EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.
In Junos OS Release 10.4, EPRT/EPSV/229 commands have been updated to support both IPv4 and IPv6 addresses.
FTP ALG uses preallocated objcache to store its session cookies. When both IPv4 and IPv6 addresses are supported on FTP ALG, the session cookie structure will enlarge by 256 bits (32 bytes) to store IPv6 address.
FTP ALG Support for IPv6
The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing, IPv6 routing, and NAT mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes..
Understanding FTP Commands
The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing and NAT mode, and IPv6 routing mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes.
The PORT command is used in active FTP mode. The PORT command specifies the address and the port number to which a server should connect. When you use this command, the argument is a concatenation of a 32-bit Internet host address and a 16-bit TCP port address. The address information is broken into 8-bit fields, and the value of each field is transmitted as a decimal number (in character string representation). The fields are separated by commas.
The following is a sample PORT command, where h1 is the highest order 8-bit of the Internet host address:
The PASV command requests a server to listen on a data port that is not the default data port of the server and to wait for a connection, rather than initiating another connection. The response to the PASV command includes the host and port address the server is listening on.
Extended FTP Commands
Extended FTP commands provide a method by which FTP can communicate the data connection endpoint information for network protocols other than IPv4. Extended FTP commands are specified in RFC 2428. In RFC 2428, the extended FTP commands EPRT and EPSV, replace the FTP commands PORT and PASV, respectively.
The EPRT command allows for the specification of an extended address for the data connection. The extended address must consist of the network protocol as well as the network and transport addresses.
The format of EPRT is:
An address family number defined by IANA.
A protocol-specific string of the network address.
A TCP port number on which the host is listening for data connection.
The delimiter character must be one of the ASCII characters in range 33 to 126 inclusive. The character "|" (ASCII 124) is recommended.
The following command shows how to specify the server to use an IPv4 address to open a data connection to host 22.214.171.124 on TCP port 6275:
The following command shows how to specify the server to use an IPv6 network protocol and a network address to open a TCP data connection on port 5282:
In this mode, FTP ALG focuses only on the EPRT command; it extracts the IPv6 address and port from the EPRT command and opens the pinhole.
The EPSV command requests that a server listen on a data port and wait for a connection. The response to this command includes only the TCP port number of the listening connection.
An example response string is as follows:
Entering Extended Passive Mode (|||6446|)
The response code for entering passive mode using an extended address must be 229. You should extract the TCP port in 229 payloads and use it to open the pinhole.
Example: Configuring the FTP ALG
This example shows how to configure the NAT-PT for FTP ALG.
Before you begin:
Configure proxy ARP for all IP addresses in the source NAT pool.
Understand the concepts behind ALG for FTP. See FTP ALG Overview.
In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.
This example shows how to configure the NAT-PT for FTP ALG.
Configuring a NAT Source Pool, NAT Static Pool and Rule Set
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a source NAT pool:
- Create a source NAT, static NAT, and interface NAT rule
set.[edit ]user@host# set security nat source rule-set rs-source from zone untrustuser@host# set security nat source rule-set rs-source to zone trustuser@host# set security nat source rule-set rs-source rule src-nat match source-address 3333::130/128user@host# set security nat source rule-set rs-source rule src-nat match destination-address 126.96.36.199/32user@host# set security nat source rule-set rs-source rule src-nat then source-nat interfaceuser@host# set security nat static rule-set rs2 from zone untrustuser@host# set security nat static rule-set rs2 rule r2 match destination-address 4444::141/128user@host# set security nat static rule-set rs2 rule r2 then static-nat prefix 188.8.131.52/32
- Associate the NAT-PT application using a policy.user@host# set security policies from-zone trust to-zone untrust policy ftp-basic match source-address anyuser@host# set security policies from-zone trust to-zone untrust policy ftp-basic match destination-address anyuser@host# set security policies from-zone trust to-zone untrust policy ftp-basic match application junos-ftpuser@host# set security policies from-zone trust to-zone untrust policy ftp-basic then permit
From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Configuring FTP ALG Security Extension
Set the security alg ftp extension
From configuration mode, enter the following command.
set security alg ftp ftps-extension
To confirm that the configuration is working properly, perform these tasks:
Verifying the NAT Source Pool, NAT Static Pool Rule Set
Verify that the NAT source pool and rule set used to support the FTP ALG are working properly.
From operational mode, enter the show configuration security nat command.
Verifying FTP ALGs
Verify that FTP ALG is enabled.
From the operational mode, enter the show security alg status command.
user@host> show security alg status
FTP : Enabled
The output shows the FTP ALG status as follows:
Enabled—Shows the FTP ALG is enabled.
Disabled—Shows the FTP ALG is disabled.
The FTP ALG is enabled by default.