This project is read-only.

Connecting via "Active" from behind a firewall with NAT

May 13, 2014 at 1:57 AM
We have a client that I need to push a file to. Their FTP server only accepts active connections, presumably because it is firewalled with NAT, and just has port 21 forwarded to the server.

I'm in the same boat. Our app server is behind a firewall with NAT as well, so by the time the app sends the PORT command it's sending an IP address from the local network and a port that isn't open on the firewall. I've checked, and our firewall does not support facilitating this connection with DPI.

The only thing I'm hoping I can do is override what's sent in the PORT command to manually put in the public IP rather than local, and specify a port or small range of ports that I could forward from the public IP to my server. This is theoretical in my mind, in that I'm not positive it would even work, but conceptually it makes sense.

Would this setup work? If so, is there any way to manually set the server and port System.Net.FtpClient uses for the PORT command?

Thanks so much for any help!
May 14, 2014 at 3:21 PM
Edited May 14, 2014 at 3:22 PM
The sensible thing to do is ask the administrators to enable passive support and define a range of ports for the FTP server to use rather than expecting clients connecting to the server to be able to use arcane configurations to support PORT/EPRT data connections in such a strict configuration. If they are unwilling to do that then FTP is probably the wrong protocol to be using (try SFTP instead). The problem is that while what you're talking about could in theory work it's a hack to work around a broken server/network configuration with regards to FTP. The solution to this problem is to talk to the sysadmins and have them setup a passive configuration which exists precisely for working around NAT and firewalls.
May 17, 2014 at 3:18 PM
I certainly agree with you, unfortunately I've been told this isn't a possibility. Thanks for your response!