D-Link DFL-2500 User Guide - Page 168
can be configured to use passive mode, which is
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 168 highlights
18.2. FTP 149 When active mode is used, the firewall is not aware of that the FTP server will establish a new connection back to the FTP client. Therefore, the connection for the data channel will be dropped by the firewall. As the port number used for the data channel is dynamic, the only way to solve this is to allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is not a good solution. When passive mode is used, the firewall does not need to allow connections from the FTP server. On the other hand, the firewall still does not know what port the FTP client tries to use for the data channel. This means that the firewall has to allow traffic from all ports on the FTP client to all ports on the FTP server. Although this is not as insecure as in the active mode case, it still presents a potential security threat. Furthermore, not all FTP clients are capable of using passive mode. Solution The FTP ALG solves this problem by fully reassembling the TCP stream of the command channel and examining its contents. Thus, the firewall knows what port to be opened for the data channel. Moreover, the FTP ALG also provides functionality to filter out certain control commands and provide a basic buffer overrun protection. The most important feature of the FTP ALG is its unique capability to perform on-the-fly conversion between active and passive mode. The conversion can be described like this: • The FTP client can be configured to use passive mode, which is the recommended mode for clients. • The FTP server can be configured to use active mode, which is the safer mode for servers. • When a FTP session is established, the firewall will automatically and transparently receive the passive data channel from the FTP client and the active data channel from the server, and tie them together. This implementation results in that both the FTP client and the FTP server work in their most secure mode. Naturally, the conversion also works the other way around, that is, with the FTP client using active mode and the FTP server using passive mode. D-Link Firewalls User's Guide