Forwarding FTP
FTP forwarding is an extension to the generic port forwarding mechanism. The FTP control channel can be secured by using generic port forwarding, but since the FTP protocol requires creating separate TCP connections for the files to be transferred, all the files would be transferred unencrypted when using generic port forwarding, as these separate TCP connections would not be forwarded automatically.
To protect also the transferred files, use FTP forwarding instead. It works similarly to generic port forwarding, except that the FTP forwarding code monitors the forwarded FTP control channel and dynamically creates new port forwardings for the data channels as they are requested.
TCP port 21 is the port the client uses to establish a connection with the remote server for an FTP session. The TCP port locally assigned to the client is always going to be different since it is only used as a method to ensure the FTP server traffic is sent back to the appropriate machine.
This is important in situations where multiple users may be using FTP to transfer files to the same server. If the users' machines are sitting behind a NAT device such as a firewall, all packets coming to the server will look as though they are from the same machine. The dynamic port numbers assigned to each client enable the firewall to route the return packets to the correct user.
To see exactly how this dynamically created port forwarding is done, two different cases need to be examined: the active mode and the passive mode of the FTP protocol.
FTP in Passive Mode
In passive mode, the FTP client sends the command PASV
to the server, which reacts by opening a listener port for the data channel and sending the IP address and port number of the listener as a reply to the client. The reply is of the format 227 Entering Passive Mode (10,1,60,99,6,12)
.
When the Secure Shell client notices the reply to the PASV
command, it creates a local port forwarding to the destination mentioned in the reply. After this, the client rewrites the IP address and port in the reply to point to the listener of the newly created local port forwarding (which exists always in a localhost
address, 127.0.0.1) and passes the reply to the FTP client. The FTP client opens a data channel based on the reply, effectively tunneling the data through the SSH connection, to the listener that the FTP server has opened. The net effect is that the data channel is secure all the way except from the Secure Shell server to the FTP server, if they are on different machines. This sequence of events takes place automatically for every data channel.
Since port forwarding is opened to a localhost
address, the FTP client must be run on the same machine as the Secure Shell client if passive mode is used.
FTP in Active Mode
In active mode, the FTP client creates a listener on a local port for a data channel from the FTP server to the FTP client, and requests the channel by sending the IP address and the port number to the FTP server in a command of the following format: PORT 10,1,60,99,6,12
. The Secure Shell client intercepts this command and creates a remote port forwarding from the Secure Shell server localhost
address to the address and port specified in the PORT
command.
After creating the port forwarding, the Secure Shell client rewrites the address and port in the PORT
command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server opens a data channel to the address and port in the PORT
command, effectively forwarding the data through the SSH connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events takes place automatically for every data channel.
Since port forwarding is made to a localhost
address on the Secure Shell client machine, the FTP client must be run on the same host as the Secure Shell client if passive mode is used.
Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.
Note: Consider using sftp2
or scp2
(see SCP2 Syntax) instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since the server already has sftp-server2
as a subsystem, and sftp2
and scp2
clients are included in the distribution.