[
https://issues.apache.org/jira/browse/NIFI-14719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vincenzo Lombardo updated NIFI-14719:
-------------------------------------
Affects Version/s: (was: 2.5.0)
> Add Port Range Parameter for Passive FTP in ListenFTP Processor
> ---------------------------------------------------------------
>
> Key: NIFI-14719
> URL: https://issues.apache.org/jira/browse/NIFI-14719
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Vincenzo Lombardo
> Priority: Major
>
> Currently, the ListenFTP processor in Apache NiFi does not provide a
> mechanism to specify a port range for passive FTP mode. When NiFi's ListenFTP
> processor is used in an environment with strict firewall rules, the lack of a
> configurable passive port range makes it challenging to manage inbound FTP
> connections. The default behavior often selects random high-numbered ports,
> which necessitates opening a wide range of ports on firewalls, posing a
> security risk and increasing administrative overhead.
> *This issue is particularly problematic when running NiFi within a Docker
> container.* Without a defined port range, exposing random high ports from the
> Docker container to the host machine, and subsequently through network
> firewalls, becomes unmanageable and highly insecure. It forces users to open
> an overly broad range of ports on their Docker host and potentially on
> external firewalls, defeating the purpose of network segmentation and
> security best practices.
> h3. Proposed Solution
> Add a new configurable property to the ListenFTP processor called {*}"Passive
> Port Range"{*}. This property would allow users to define a specific range of
> ports (e.g., {{{}50000-50099{}}}) that the ListenFTP processor should use
> when operating in passive FTP mode.
> h3. Benefits
> * *Improved Security:* Users can restrict the range of ports open on their
> firewalls, reducing the attack surface.
> * *Easier Firewall Management:* Simplifies firewall configuration by
> allowing administrators to define a narrow and predictable set of ports.
> * *Enhanced Deployability:* Makes it easier to deploy NiFi's ListenFTP
> processor in secure and tightly controlled network environments,
> {*}especially in containerized environments like Docker{*}.
> h3. Implementation Details & Offer to Contribute
> I have already implemented this feature privately for my own use case and
> would be happy to *share my changes* and contribute them to the Apache NiFi
> project. This could potentially accelerate the integration of this
> much-needed functionality into a future release.
> h3. User Scenario
> A user needs to configure ListenFTP to receive files via passive FTP from
> external systems. Their corporate firewall policy requires all inbound
> connections to use pre-defined port ranges for security. Without the ability
> to specify a passive port range, the user is forced to open a wide, dynamic
> range of high ports, or is unable to use ListenFTP effectively in their
> environment. *When deploying NiFi in Docker, this problem is exacerbated as
> manually mapping random high ports from the container to the host is
> impractical and insecure, hindering robust Docker deployments for FTP
> ingress.*
> h3. Expected Behavior
> When the "Passive Port Range" property is configured (e.g., to
> {{{}50000-50099{}}}), the ListenFTP processor should only use ports within
> this specified range for passive data connections. If the property is left
> unconfigured, the current default behavior (random high-numbered ports)
> should be maintained.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
