Port Forwarding to PASV with TLS/SSL

Discussion in 'Tomato Firmware' started by kthaddock, Jun 16, 2014.

  1. kthaddock

    kthaddock Network Guru Member

    I'm trying to forward port to my VSFTPD server running TLS/SSL.
    I have open pasv port 9970 - 10000 on trigger port option. I can se them with winscp and ssh.
    But can't connect from outside. When testing inside LAN it's working and I can se ports 9970 - 10000 be used.
    This make me thinking does triggered port forwarding works?
    Have someone used this option and have it working?
    I have tried to load nf_conntrack_ftp module but seem missing !?
    Last edited: Jun 16, 2014
  2. koitsu

    koitsu Network Guru Member

    FTP passive mode is initiated by the FTP client in the control layer (TCP port 21) by changing FTP modes between active ("PORT" command) and passive ("PASV" command).

    The FTP server is supposed to have a pre-defined port range already open/available. In passive mode, the FTP server won't have a listening port up/available until the client issues the necessary PASV command.

    As such, I don't see how port triggering will work here. The "trigger" would have to be some daemon/thing watching for actual "PASV" commands sent by the client on the control layer.

    TL;DR -- For passive FTP to work, you need to simply allow inbound TCP connections from anywhere to your WAN IP, port range 9970-10000, and leave that rule enabled at all times. This is safe to do since the FTP daemon will only be listening on one of those port numbers when a valid FTP client asks it to open one up (using "PASV"). Meaning: port triggering gets you nothing here.

    I've explained how the FTP protocol works in detail here, showing full firewall rules I used on a production Internet-facing FTP server for nearly 18 years:


    Port triggering is only used for this type of scenario:

    - A LAN client intiates a TCP connection to some Internet IP address (ex. on some particular port (ex. port 12345)
    - The necessary port triggering code (usually this is done in some kind of netfilter helper, which may be what nf_conntrack_ftp is for? Not sure) notices that a LAN client has connected to somewhere (destination port 12345) and automatically runs some firewall rules to allow inbound connections to the WAN IP + those get forwarded to the LAN IP of the client.

    This was mainly invented for games with very crappy/badly-designed network code, where the inventors blindly assumed that NAT didn't exist and that there was a 1:1 ratio of client-to-Internet-IP-addresses. The model is this:

    - Game client is assumed to have an Internet IP address, i.e. is not using NAT
    - Game client is listening on TCP port 54321 at all times
    - Game client connects to server (some Internet IP, say TCP port 4444)
    - Game client tells server "here's my IP address" (which is a valid Internet IP) and "here's my port number" (54321)
    - Other game clients (players, etc.) who want to play a game with said person are able to connect to said IP address on TCP port 54321
    - Game starts, done

    Port triggering would then allow that model to work by "keying" off of the outbound connection to TCP port 4444. When the network stack sees a NAT'd connection to TCP port 4444, it says "okay I need to automatically open up a port forward for TCP port 54321 to go to {LAN IP of client}".

    I have no idea what that guy in this thread is doing. He doesn't seem to understand the FTP protocol, and instead has resorted to messing about with kernel modules that manipulate parts of the actual TCP data packet across the control layer (TCP port 21). In fact, most people I see trying to set up FTP servers have absolutely no idea how the protocol actually works and the direction traffic is flowing -- and understanding how it works is VERY important when designing a firewall surrounding an FTP server (and/or when using an FTP server behind NAT). You do not need nf_xxx helper modules to run an FTP server behind NAT, you just need to ensure the FTP server you're using lets you define what IP addresses to use in some of its configurations/behaviours and port ranges for passive.

    Maybe this will help you understand how the protocol works ("dumbly written" if you ask me, but still). Be sure to note the flow of traffic (i.e. who initiates a connection to who and where/when):


    My guess is that nf_nat_ftp is what is doing the actual TCP packet payload manipulation, and this is for NAT'd clients, i.e. a FTP client running on attempts to FTP to ftp.netcom.com and transfer a file in active mode (which wouldn't work because the FTP client would be submitting its LAN IP address within the PORT command -- that's how the protocol works). The nf_nat_ftp helper probably rewrites the PORT command's IP address portion to use the WAN IP and not the LAN IP, and probably also does something about port forwarding.

    nf_conntrack_ftp is probably just a "simple helper" to allow for tracking the connections and stages of the FTP protocol throughout TCP, because there's two layers (the control layer (TCP port 21) and the actual data transfer layer (either TCP port 20 (active mode) or random TCP port (passive mode)).
    Last edited: Jun 17, 2014
  3. kthaddock

    kthaddock Network Guru Member

    Thank you for explanition. Sorry for the dealy.

    I have tested more and have a clue what happening. Seems that isn't working if you use eg TLS/SSL.
    Client can't read pasv in encrypted mode. I am using encrypted connection SSL. ip_conntrack_ftp is not able to inspect encrypted traffic, data traffic is not identified as RELATED and is dropped.

    So the solution could be, tell nat helper "nt_conntrack_ftp" or "nf_nat_ftp", dont know which yet, which port to use in pasv mode.
    How ever if you config client to use to FTP and after login ftp use TLS/SSL to encrypt pakages.

    Server config:
    Last edited: Jun 19, 2014
  4. kthaddock

    kthaddock Network Guru Member


    Juat add this to firewall and PASV connection over Explicit SSL/TLS just working fine.
    No need to modified _ftp modules.

    FTP response: Client "81.xxx.xxx.xxx", "227 Entering Passive Mode (81,xxx,xxx,xxx,39,5)."
    Using port: 9989
    And here is how to generate PEM cert:
    Last edited: Jun 19, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice