Because an active FTP session transfers data over a randomly chosen port, apply the FTP plugin module to your service objects to ensure that only the chosen port is opened for these types of connections. Active FTP sessions use port 21 to establish connections, and then the client and the server use a port from 1024 through 65535 to send and receive data. With the FTP plugin module, the Barracuda NextGen Firewall F-Series listens to the two FTP partners and opens the chosen port for the connection.
The following diagram illustrates how data is transferred in an FTP session that is established through the Barracuda NextGen Firewall F-Series with the FTP plugin module. After an initiating request on port 21, the server answers with port 24500. All subsequent traffic uses port 24500. The FTP plugin module indicates that no Port Address Translation (PAT) is performed for FTP data sessions, even if the firewall session is NAT'd.
Add the FTP Plugin Module
To add the FTP plugin module in a service object:
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click on Services.
- Click Lock.
- Right-click the table and select New. The Edit/Create Service Object window opens.
- Create a service object or edit an existing service object.
- In the Edit/Create Service Object window, double-click a service.
- In the Service Entry Parameters window, select ftp from the Plugin list.
- Click OK.
- Click Send Changes and Activate.