Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

FTP ALG

 

File Transfer Protocol is a widely and commonly used method of exchanging files over IP networks. The FTP ALG monitors PORT, PASV, and 227 commands. It performs NAT on the IP, port, or both in the message and gate opening on the device as necessary.

FTP ALG Overview

The File Transfer Protocol (FTP) is a widely and commonly used method of exchanging files over IP networks. In addition to the main control connection, data connections are also made for any data transfer between the client and the server; and the host, port, and direction are negotiated through the control channel.

For active mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects.

FTP represents the addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets.

The FTP ALG supports the following:

  • Automatically allocates data ports and firewall permissions for dynamic data connection

  • Monitors the control connection in both active and passive modes

  • Rewrites the control packets with the appropriate NAT address and port information

  • Network Address Translation, Protocol Translation (NAT-PT)

  • Transport Layer Security (TLS) as the security mechanism

IPv6 FTP ALG for Routing

The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.

EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.

In Junos OS Release 10.4, EPRT/EPSV/229 commands have been updated to support both IPv4 and IPv6 addresses.

FTP ALG uses preallocated objcache to store its session cookies. When both IPv4 and IPv6 addresses are supported on FTP ALG, the session cookie structure will enlarge by 256 bits (32 bytes) to store IPv6 address.

FTP ALG Support for IPv6

The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing, IPv6 routing, and NAT mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes..

Understanding FTP Commands

The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing and NAT mode, and IPv6 routing mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes.

PORT Command

The PORT command is used in active FTP mode. The PORT command specifies the address and the port number to which a server should connect. When you use this command, the argument is a concatenation of a 32-bit Internet host address and a 16-bit TCP port address. The address information is broken into 8-bit fields, and the value of each field is transmitted as a decimal number (in character string representation). The fields are separated by commas.

The following is a sample PORT command, where h1 is the highest order 8-bit of the Internet host address:

PORT h1,h2,h3,h4,p1,p2

PASV Command

The PASV command requests a server to listen on a data port that is not the default data port of the server and to wait for a connection, rather than initiating another connection. The response to the PASV command includes the host and port address the server is listening on.

Extended FTP Commands

Extended FTP commands provide a method by which FTP can communicate the data connection endpoint information for network protocols other than IPv4. Extended FTP commands are specified in RFC 2428. In RFC 2428, the extended FTP commands EPRT and EPSV, replace the FTP commands PORT and PASV, respectively.

EPRT Command

The EPRT command allows for the specification of an extended address for the data connection. The extended address must consist of the network protocol as well as the network and transport addresses.

The format of EPRT is:

EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>

Parameter

Description

net-prt

An address family number defined by IANA.

net-addr

A protocol-specific string of the network address.

tcp-port

A TCP port number on which the host is listening for data connection.

Delimiter

The delimiter character must be one of the ASCII characters in range 33 to 126 inclusive. The character "|" (ASCII 124) is recommended.

The following command shows how to specify the server to use an IPv4 address to open a data connection to host 132.235.1.2 on TCP port 6275:

EPRT |1|132.235.1.2|6275|

The following command shows how to specify the server to use an IPv6 network protocol and a network address to open a TCP data connection on port 5282:

EPRT |2|1080::8:800:200C:417A|5282|

In this mode, FTP ALG focuses only on the EPRT command; it extracts the IPv6 address and port from the EPRT command and opens the pinhole.

EPSV mode

The EPSV command requests that a server listen on a data port and wait for a connection. The response to this command includes only the TCP port number of the listening connection.

An example response string is as follows:

Note

The response code for entering passive mode using an extended address must be 229. You should extract the TCP port in 229 payloads and use it to open the pinhole.

Example: Configuring the FTP ALG

This example shows how to configure the NAT-PT for FTP ALG.

Requirements

Before you begin:

  • Configure proxy ARP for all IP addresses in the source NAT pool.

  • Understand the concepts behind ALG for FTP. See FTP ALG Overview.

Overview

In this example, the ALG for FTP is configured to monitor and allow FTP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.

This example shows how to configure the NAT-PT for FTP ALG.

Configuration

Configuring a NAT Source Pool, NAT Static Pool and Rule Set

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool:

  1. Create a source NAT, static NAT, and interface NAT rule set.
  2. Associate the NAT-PT application using a policy.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring FTP ALG Security Extension

Purpose

Set the security alg ftp extension

Action

From configuration mode, enter the following command.

set security alg ftp ftps-extension

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the NAT Source Pool, NAT Static Pool Rule Set

Purpose

Verify that the NAT source pool and rule set used to support the FTP ALG are working properly.

Action

From operational mode, enter the show configuration security nat command.

Verifying FTP ALGs

Purpose

Verify that FTP ALG is enabled.

Action

From the operational mode, enter the show security alg status command.

user@host> show security alg status

Meaning

The output shows the FTP ALG status as follows:

  • Enabled—Shows the FTP ALG is enabled.

  • Disabled—Shows the FTP ALG is disabled.

Note

The FTP ALG is enabled by default.

Related Documentation

Release History Table
Release
Description
In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes.
In Junos OS Release 10.4, EPRT/EPSV/229 commands have been updated to support both IPv4 and IPv6 addresses.
In Junos OS Release 10.4, the FTP ALG supported IPv4 routing, IPv6 routing, and NAT mode only.