More Methods for Hosting FTP on Broadband
by Apratt
After reading about how to set up a web server behind a broadband router in 20:1, I was inspired to offer some ideas about setting up an FTP server behind such a router (or other device doing NAT or IP masquerading, such as a UNIX box or Windows box with Internet Connection Sharing; for convenience, I'll refer to all of these as "routers").
FTP's M.O.
Unfortunately, FTP doesn't play well with routers. Since no routers existed when FTP was invented in the early-to-mid-1970s, it didn't need to. Your FTP login and commands travel over a typical TCP connection (the "command connection" a.k.a., "control connection"), usually to port 21 of the FTP server. The actual files and file listings to be received, however, all require a separate TCP connection (called the "data connection"), usually to an unpredictable port greater than 1023. In active mode (the old style), the server will initiate these secondary connections to the client, to a port of the client's choosing. In passive mode (the new style), the client will initiate these secondary connections to the server, to a port of the server's choosing. The direction the file is being sent has no affect on who initiates the data connection. If the client is behind a router, active mode won't work. If the server is behind a router, passive mode won't work. If both are behind a router, no files or file listings can be transferred.
Light at the End of the Tunnel
Fortunately, there are several solutions to the problems caused by routers. You can forward some ports in the server's router, forward some ports in the client's router, use a proxy, or just ditch FTP altogether.
Empowering the Server
Using passive FTP and forwarding some ports on the server's router is probably the best overall solution. You'll need to use a FTP daemon (server program ) that can be told to restrict itself to using only the forwarded ports and to have the client connect to the router's IP address. If your FTP server is behind a router, it would advertise its address as being 10.x.x.x or 192.168.x.x, which will confuse the client. It's more practical to just download PureFTPd, ProFTPD, or GuildFTPd instead of forcing your preexisting FTP daemon to play nicely with your router. According to PureFTPd's documentation, you need to forward two ports per simultaneous connection you wish to support. It doesn't matter which ports you forward as long as they're all in one contiguous block, they don't conflict with anything, and they're all greater than 1023. If you have your router configured to silently ignore uninvited connection attempts, you also might want to avoid using any ports that are famous for being sought by port scanners, such as the ports commonly used by Back Orifice, WinGate, etc. just so you don't attract any unwanted attention.
Empowering the Client
Another remedy is to use active FTP and forward some ports on the client's router. The bad news is that most FTP client programs will report their internal IP address, such as 192.168.x.x or 10.x.x.x, instead of the router's IP address. This will confuse the FTP daemon. SmartFTP is one client that can report your router's IP address as well as restricting itself to using only the handful of ports that you've forwarded from your router to your FTP client computer. Your FTP client program needs to have both of these abilities for this method to work. As for which ports to forward, the guidelines are the same as for an FTP server.
Other Options
Proxies: I don't like proxies in general, and their configuration is beyond the scope of this article. Thankfully, there are better ways of transferring files across the Internet, and none of them use the strange multi-connection scheme that FTP does.
SFTP: On the surface, SFTP is very similar to FTP. The actual protocol, however, consists of a single SSH connection, so you have encryption and optional compression. SFTP gives you directory listings and all the commands you're used to (chmod, rm, rename, delete, etc.). Since SFTP programs are less common than FTP programs, you can't expect SFTP programs to be as luxurious s as their FTP counterparts. This is especially true for SFTP daemons. I hope to see more variety soon. SFTP is not suitable if you need the fancier features found in some FTP daemons.
SCP: SCP is basically the SSH-enabled version of cp, UNIX's copy command. Since it uses SSH, it is also secure and compressable. Unfortunately, you need to know the exact path name and filename to download anything, as SCP is incapable of listing what files are available. There are programs like NiftyTelnet 1.1 SSH for Macintosh that include a SCP client, but SCP programs are also disappointingly uncommon. Did I mention how irritating it is that you have to know the exact path and filename of everything you want to download? It may be an option for uploading to a drop box, however.
HTTP: You shouldn't totally discount web servers. If all you need are insecure one-way file transfers, a small web server is all you need to set up. Besides, you could always configure it to support passwords, SSL, and the HTTP "PUT" method. You do have a bottle of Advil, right? WebDAV should be an excellent file transfer protocol in the future, but it's only in its infancy right now.
Upgrading to a FTP daemon that is router-aware is the smoothest solution, requiring only that the clients support passive transfers. Security enthusiasts will have to settle for a less convenient method.
Greetz to Selene135, Slan, Smasher, Satan's Intern, and Kurakkuboi.