Passive FTP Issue

Larry_Birch · ‎2020-01-15

Since moving to R80.20 we've had an issue with the "ftp" service. As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc). I am now trying to get back to the port based ftp service and having issues. To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.

The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:

No.	Time	Source	Destination	Protocol	Length	Info
1	0	192.139.152.XXX	216.8.153.YYY	TCP	62	55479 > 21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1
2	0.034743	192.139.152.XXX	216.8.153.YYY	TCP	54	55479 > 21 [ACK] Seq=1 Ack=1 Win=32768 Len=0
3	0.050639	192.139.152.XXX	216.8.153.YYY	FTP	60	Request: SYST
4	0.066276	192.139.152.XXX	216.8.153.YYY	FTP	72	Request: USER *********
5	0.08137	192.139.152.XXX	216.8.153.YYY	FTP	69	Request: PASS **********
6	0.154162	192.139.152.XXX	216.8.153.YYY	TCP	54	55479 > 21 [ACK] Seq=40 Ack=235 Win=32768 Len=0
7	0.168541	192.139.152.XXX	216.8.153.YYY	FTP	60	Request: PASV
8	0.184125	192.139.152.XXX	216.8.153.YYY	TCP	62	55486 > 63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1
9	0.198893	192.139.152.XXX	216.8.153.YYY	FTP	83	Request: STOR FILEXXXXX
10	0.214221	192.139.152.XXX	216.8.153.YYY	TCP	54	55486 > 63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0
11	0.229467	192.139.152.XXX	216.8.153.YYY	TCP	1406	55486 > 63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352
12	0.229566	192.139.152.XXX	216.8.153.YYY	TCP	1406	55486 > 63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352
13	0.22961	192.139.152.XXX	216.8.153.YYY	TCP	764	55486 > 63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710
14	0.229614	192.139.152.XXX	216.8.153.YYY	TCP	54	55486 > 63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0
15	0.245719	192.139.152.XXX	216.8.153.YYY	TCP	54	55486 > 63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0
16	0.245726	192.139.152.XXX	216.8.153.YYY	FTP	59	Request: PWD
17	0.260447	192.139.152.XXX	216.8.153.YYY	FTP	83	Request: RNFR FILEXXXXX
18	0.275011	192.139.152.XXX	216.8.153.YYY	FTP	86	Request: RNTO FILEYYYYY
19	0.30613	192.139.152.XXX	216.8.153.YYY	FTP	60	Request: QUIT
20	0.3216	192.139.152.XXX	216.8.153.YYY	TCP	54	55479 > 21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0
21	0.321714	192.139.152.XXX	216.8.153.YYY	TCP	54	55479 > 21 [ACK] Seq=148 Ack=450 Win=32768 Len=0
22	1.576145	192.139.152.XXX	216.8.153.YYY	TCP	66	21 > 63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
23	1.590468	192.139.152.XXX	216.8.153.YYY	FTP	81	Response: 220 Microsoft FTP Service
24	1.605046	192.139.152.XXX	216.8.153.YYY	FTP	77	Response: 331 Password required
25	1.620133	192.139.152.XXX	216.8.153.YYY	FTP	1088	Response: 230-WARNING:
26	1.62016	192.139.152.XXX	216.8.153.YYY	FTP	75	Response: 230 User logged in.
27	1.634786	192.139.152.XXX	216.8.153.YYY	FTP	74	Response: 200 Type set to I.
28	1.648881	192.139.152.XXX	216.8.153.YYY	FTP	70	Response: 215 Windows_NT
29	1.663016	192.139.152.XXX	216.8.153.YYY	FTP	88	Response: 211-Extended features supported:
30	1.663093	192.139.152.XXX	216.8.153.YYY	FTP	72	Response: LANG EN*
31	1.663115	192.139.152.XXX	216.8.153.YYY	FTP	107	Response: AUTH TLS;TLS-C;SSL;TLS-P;
32	1.663132	192.139.152.XXX	216.8.153.YYY	FTP	61	Response: HOST
33	1.663153	192.139.152.XXX	216.8.153.YYY	FTP	91	Response: SIZE
34	1.677245	192.139.152.XXX	216.8.153.YYY	FTP	112	Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
35	1.712574	192.139.152.XXX	216.8.153.YYY	FTP	83	Response: 250 CWD command successful.
36	1.729417	192.139.152.XXX	216.8.153.YYY	FTP	103	Response: 550 The system cannot find the file specified.
37	1.74992	192.139.152.XXX	216.8.153.YYY	FTP	107	Response: 227 Entering Passive Mode (192,139,152,XXX,237,68).
38	1.764894	192.139.152.XXX	216.8.153.YYY	TCP	66	60740 > 24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
39	1.788989	192.139.152.XXX	216.8.153.YYY	FTP	108	Response: 125 Data connection already open; Transfer starting.
40	1.803761	192.139.152.XXX	216.8.153.YYY	TCP	54	60740 > 24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0
41	1.807151	192.139.152.XXX	216.8.153.YYY	TCP	54	60740 > 24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0
42	1.8073	192.139.152.XXX	216.8.153.YYY	TCP	54	60740 > 24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0
43	1.807392	192.139.152.XXX	216.8.153.YYY	FTP	78	Response: 226 Transfer complete.
44	1.880154	192.139.152.XXX	216.8.153.YYY	FTP	68	Response: 221 Good-Bye
45	1.880182	192.139.152.XXX	216.8.153.YYY	TCP	54	21 > 63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0
46	1.895165	192.139.152.XXX	216.8.153.YYY	TCP	54	21 > 63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0

Maarten_Sjouw · ‎2020-01-15

The main thing here is you are showing 2 different session in 2 different directions and from both sessions you only show half the communication, specially missing in the first part is the line similar to this one:
Response: 227 Entering Passive Mode (192,139,152,155,237,68).
What we advise with FTP servers is to use passive mode and to use a fixed range of max 500 ports, when less busy use a range of 100 ports.
Most of the FTP servers nowadays use TLS also, causing the communication to fail as the FW cannot see the PASV command
anymore. Therefore just allowing the FTP port and the range will still allow the traffic and still be reasonable secure.

Regards, Maarten