Firewalls and FTP external IP address for PASV

Yesterday we came across what, at first, seemed to be a pretty odd case, and we think it’s worth sharing it with our users.

Most firewalls (we’d say all the ones we know) have NAT/PAT capabilities, and many are able to perform protocol-level inspection when the connection is not encrypted. SSH (and SFTP) are always encrypted, but FTP can be either encrypted or not; yet, theoretically protocol inspection should only prevent protocol-related attacks, not modify client requests or server responses.

Yet, yesterday a customer with a perfectly configured instance of Server! was experiencing a weird behavior: FTPS/FTPES (encrypted) sessions were working perfectly, while plain FTP sessions were dropped upon every attempt to open a data connection to transfer files. Continue reading

New release: Server! v2.0.7.27

After the recent addition of the public IP to be used for PASV connections, we have now improved such feature by adding the possibility to specify a “local LAN” address space to which the above mentioned configuration will not be applied. Basically this makes your NATted server able to accept PASV connections both from inside and outside your Local Area Network (LAN).

You can download the latest version from our web site, as usual.