On Sun, Feb 19, 2012 at 10:09 PM, Andrew Jones <a...@jonesy.com.au> wrote: > On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta > It seems to me that this will create all sorts of headaches for firewall > ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for > example, the devices would need to inspect traffic on all ports and perform [snip]
That doesn't work when the FTP control connection is encrypted using SSL. Layer 4 Firewall devices should not be expecting to intercept FTP traffic and make decisions based on the application layer contents of the traffic. I would suggest a requirement that FTP clients utilizing SRV records to access FTP on an alternate port MUST utilize Firewall-Friendly FTP as described by RFC1579. Each FTP server can then be assigned its own port range, or the FTP server can be configured to notify the Firewall device which ports to forward using UpNP or a NAT traversal protocol such as STUN, and the Firewall device can be configured to forward the appropriate range of ports to the correct server. -- -JH
