Zero logo

FileZilla SSL part 2

The previous page covered securing a local FTP server. This page expands on that for securing an FTP server to run over the internet. Before proceeding ensure you have configured and tested as explained on the previous page. There are two transfer modes active or passive, configuring an FTP server for internet use the user (FTP client) is given priority. Everything is geared to make it easier for the client hence your server must support passive mode. The following covers this mode and the added complication of running a FTP server behind a wireless router with NAT.

FTP Basics

FTP uses two ports, a command (control) port and data port traditionally these are assigned ports 21 and 20 respectively. Depending on the operating mode, the data port is not always on port 20.

Passive_FTP

Most browsers use passive mode for connection this mode changes the data port as follows.
In passive mode a client initiates both connections to the server. A client first opens two consecutive random unprivileged ports (ports above 1023). The first port contacts the server on port 21, and issues the PASV command. In response the server opens a random unprivileged port and sends the PORT P command back to the client. The client then initiates the connection from it’s second port to transfer data.

A secure FTP server follows the above procedure with one minor difference the command port used is reserved port 990.
What’s important when using a NAT device is the need to forward ports 20, 21, 990 and all unprivileged ports. In reality unprivileged ports are restricted to a small range for example 50000 to 50100.

During a data transfer the FTP server needs to send its visible IP address back to a client. Because of address translation through a NAT device the FTP server has no way of determining this IP address. It needs to be set during FTP server configuration, not a problem if you have a fixed IP address however a dynamic IP is problematic. The FileZilla team neatly resolves this issue by providing a dynamic IP address resolution service.

Active_FTP

If you have ever set-up an FTP client behind a NAT (Network Address Translation) router you will have been forced to changed mode from active to passive. Reason for this, active FTP will not work behind a NAT device.

Summary

The above is intended to explain why you need to twiddle certain settings and how to choose options for your installation. All settings for passive mode are on a single page making the whole set-up process easier.

Configure Passive Mode

  • Start UniServer FileZilla Controller: Double click on UniFzController.bat
  • Start FileZilla Server: Click Start FZ Server
  • Start FileZilla Interface: Click on Start Interface
  • Select Edit > Settings
  1. A) Select Passive mode settings
  2. B) Default: Select this if directly connected to the Internet.
  3. C) Use the following IP: If connected to the Internet via a NAT router and you have a fixed IP address enter it here.
  4. D) Retrieve external IP address from: If connected to the Internet via a NAT router and you have a dynamic IP address select this radio button. Enables FileZilla’s dynamic IP address resolution service
  5. E) Don’t use external IP for local connection. Default is checked, no need to change this.
  6. F) Use custom port range: Check this box to enable, we do need to restrict the range of random ports. This also restricts (minimises) the ports that require forwarding in the router.
    • Enter range of ports you want to allow, 50000-50100 is reasonable. Allows 100 ports consider reducing this if you do not expect a high number of simultaneous connections.
  7. G) Click OK
Configure passive mode

Configure NAT Router

You need to forward ports 20, 21, 990 and the range (50000-50100) to your PC’s IP address (for example 192.168.1.6)
Replace the value in brackets with your own IP address.

There is a vast range of routers hence I have not provided any detailed set-up instructions.

Again I point you to PortForwrd a website dedicated to this topic with detailed instructions how to forward ports on most routers.

The example shown on the right is for a DrayTek Vigor 2800G router hopefully this will provide a clue what to look for when configuring your own router.

Config Nat router

Summary

That concludes this two part secure FTP configuration guide. You now have a fully working secure FTP server that will transfer files locally or over the Internet.


--oOo--