Forum Discussion

Old-Greg-MD's avatar
Old-Greg-MD
Icon for Nimbostratus rankNimbostratus
Mar 25, 2016

Age old passive FTP questions

Just realized I posted this in discussions vs questions. Re-posting

 

This has probably been beaten down enough at this point, but I can't seem to find the answer anywhere. Here is the setup:

 

FTP server: just an ubuntu vsftpd server listening on port 21 and passive data ports set to a range 10090-10100. this is working as expected (prior to introducing F5) Virtual Server: listening on port 21 w/ default tcp profile and custom FTP profile with data port set to 0. Member is FTP server port 21. Passive FTP also works through this virtual server just fine. Here is my issue. When my FTP server responds with the passive port to use, let's say 10100, the F5 translates that port within the packet to a random ephemeral port. The client does as it's told and transfers the data over that random port, F5 handles the port translation back to port 10100 for my FTP server on the back end and everything works fine, but my problem is I need the client to connect to the actual port presented within the FTP passive response from my FTP server for firewall access-list reasons.

 

I've tried the following: - disabled port translation on the virtual server - turned off CMP for that virtual server (found an article that referenced this possibly causing the issue) - changed the member from ip.addr:21 to ip.addr:0 (didn;t think that would do it but tried just for the hell of it) - changed the custom FTP profile to a specific data port of 10100 and set my ftp server to only use port 10100 as the passive FTP port

 

In each case, the F5 still changes that passive port to another port when sending the response packet to the client.

 

I have pcaps that show exactly what is happening and can reproduce every time. Anyone that has any insight into this I would be GREATLY appreciative. Thanks all

 

-GR

 

Reply to this Discussion 0 Rate this Discussion

 

  • Starting in 11.5.0, there is an iRule command, FTP::port, which allows you to limit passive FTP port selection to a specified range.

     

    You may need to specify a port range with greater than just ten ports - I would recommend at least several times the number of TMMs on your system. Unless you have near-fully populated VIPRION 4800, 100 ports should be fine. You can experiment, but you should have at least the same number of ports as the number of TMMs on your system.

     

    You may also specify a smaller number of ports and disable CMP for that virtual server, but doing so is not recommended as it can impact performance and limit capacity.