• Allow the server to use passive mode.
If this option is enabled, the FTP server is allowed to use both passive and active transfer
modes. With the option disabled, the server will never receive passive mode data channels.
NetDefendOS will handle the conversion automatically if clients use passive mode.
A range of server data ports is specified with this option. The client will be allowed to connect
to any of these if the server is using passive mode. The default range is 1024-65535.
These options can determine if hybrid mode is required to complete the connection. For
example, if the client connects with passive mode but this is not allowed to the server then
hybrid mode is automatically used and the FTP ALG performs the conversion between the two
modes.
Predefined FTP ALGs and Services Before NetDefendOS Version 11.01
In older versions of NetDefendOS, four predefined FTP ALG and Service objects were provided,
each with a different combination of client/server mode restrictions. These ALG and Service
objects had the following names:
• ftp-inbound - Clients can use any mode but servers cannot use passive mode.
• ftp-outbound - Clients cannot use active mode but servers can use any mode.
• ftp-passthrough - Both the client and the server can use any mode.
• ftp-internal - The client cannot use active mode and the server cannot use passive mode.
Beginning with NetDefendOS version 11.01, these individual services are removed from a new
NetDefendOS installation. However, they remain in configurations that upgrade to 11.01 or later.
A new installation can recreate them manually but the recommended option is to use the
predefined ftp service with an IP Policy object, in which case all the options previously available
on the ALG are now available directly on the policy.
FTP ALG Command Restrictions
The FTP protocol consists of a set of standard commands that are sent between server and client.
If the NetDefendOS FTP ALG sees a command it does not recognize then the command is
blocked. This blocking must be explicitly lifted and the options for lifting blocking are:
• Allow unknown FTP commands. These are commands the ALG does not consider part of the
standard set.
• Allow the SITE EXEC command to be sent to an FTP server by a client.
• Allow the RESUME command even if content scanning terminated the connection.
Note: Some commands are never allowed
Some commands, such as encryption instructions, are never allowed. Encryption would
mean that the FTP command channel could not be examined by the ALG and the
dynamic data channels could not be opened.
Control Channel Restrictions
Chapter 6: Security Mechanisms
438
To Next Page
Loading...
