Because an active FTP session transfers data over a randomly chosen port, apply the FTP plugin module to your service objects to ensure that only the chosen port is opened for these types of connections. Active FTP sessions use port 21 to establish connections, and then the client and the server use a port from 1024 through 65535 to send and receive data. With the FTP plugin module, the Barracuda NG Firewall listens to the two FTP partners and opens the chosen port for the connection.
The following diagram illustrates how data is transferred in an FTP session that is established through the Barracuda NG Firewall with the FTP plugin module. After an initiating request on port 21, the server answers with port 24500. All subsequent traffic uses port 24500. The FTP plugin module indicates that no Port Address Translation (PAT) is performed for FTP data sessions, even if the firewall session is NAT'd.
Add the FTP Plugin Module
To add the FTP plugin module in a service object:
- Click the Config tab. The Configuration Overview page opens in the Simple Config view.
- In the Operational Configuration table, click Ruleset under the Firewall section. The Configuration Overview/Forwarding Rules page opens.
- In the left pane, expand the Firewall Objects menu and select Services.
- Create a service object or edit an existing service object.
- In the Edit/Create Service Object window, double-click a service.
- In the Service Entry Parameters window, select ftp from the Plugin list.
- Click OK.
- Click Send Changes and Activate.