FT_FTP

FT_FTP

FTP (File Transfer Protocol) protocol filter. Used RFCs: 959, 2428, 2228.
- Allows filtering FTP commands, responses and transmitted data.
- Filters active and passive mode data channels.
- Decodes SSL protected command and data channels.
- Supports packet level filtering of data channel.
- Supports IPv6 extensions.

Category: Protocol filter

Supported flags:
FF_READ_ONLY_IN
FF_READ_ONLY_OUT
FF_SSL_TLS
FF_SSL_SELF_SIGNED_CERTIFICATE

Object types:
OT_FTP_COMMAND - FTP command from client to server
OT_FTP_RESPONSE - server response to FTP command
OT_FTP_DATA_OUTGOING - read-only outgoing data (full stream)
OT_FTP_DATA_INCOMING - read-only incoming data (full stream)
OT_FTP_DATA_PART_OUTGOING - outgoing data packet
OT_FTP_DATA_PART_INCOMING - incoming data packet

Indicates object parts: no

The filters starts indicating FTP commands and responses after initial client-server handshake classified according to FTP specification. The objects of types OT_FTP_COMMAND and OT_FTP_RESPONSE contain one stream with raw FTP command and response.

For transmitting large data buffers FTP uses secondary data connections. In active mode it is incoming connection from server to client, established after PORT or EPRT command with specified local address as a parameter. In passive mode FTP client sends PASV or EPSV command to server, and establishes outgoing connection to the address specified in server response. After transmitting full data object, the data connection closes, and the server sends to client a response explaining results.

Note: The filtering of all incoming connections must be enabled for filtering FTP data connections in active mode!

ProtocolFilters automatically associates data connections with FTP control connection and adds FT_FTP_DATA filter for a data connection:
- FTP client sends PORT, EPRT, PASV or EPSV command to server to negotiate data connection direction and addresses.
- ProtocolFilters indicates tcpConnected event for incoming or outgoing data connection. It is possible to add preprocessors FT_PROXY and FT_SSL in event handler.
- ProtocolFilters searches for a control FTP connection by real local or remote address (the real address can be different when FTP client uses SOCKS or HTTPS proxy).
- If an appropriate FTP control connection is found, ProtocolFilters deletes all protocol filters from chain (preprocessors are not deleted), and adds FT_FTP_DATA filter instead. Also FT_SSL filter is added if necessary when FF_SSL_TLS flag is specified for the control connection. FT_FTP_DATA is added with the same FF_* flags as for control connection. I.e. if a control connection is filtered in read only mode, the appropriate data connection is filtered in read only mode too.

FT_FTP_DATA filter indicates the transmitted data using OT_FTP_DATA_* objects. Each OT_FTP_DATA_* object contains two streams:
- Content stream (index 0) contains a data buffer.
- Control channel metadata stream (index 1) contains a string, formatted as list of <name>: <value> strings, delimited with \r\n sequences.

The metadata stream is informational, i.e. ProtocolFilters ignores it when client application posts OT_FTP_DATA_* object to destination. It contains FTP command with parameters that describes the content stream, control connection identifier and transmission parameters.

The field names of metadata header:
SESSIONID - ENDPOINT_ID of FTP control connection. This field is added always.
COMMAND - FTP command sent via control channel immediately after opening data connection, e.g. STOR or RETR with a file name. This field is added always.
REST - optional field, contains a parameter of REST command specified by FTP client (see RFC 959 for details).
TYPE - optional field, contains a parameter of TYPE command specified by FTP client (see RFC 959 for details).

The optional fields are added when FTP client sends appropriate commands via control connection.

The current version blocks STRU command and MODE (B|Z), i.e. allows only default stream transfer mode for FTP data. FTP client receives error response when it tries to select an unsupported mode.

By default FT_FTP_DATA filter indicates the packets transmitted via data connection as OT_FTP_DATA_PART_* objects, containing a single packet in content stream. The filtering application can change the packet contents and post it back to destination.

When FF_READ_ONLY_(IN|OUT) flag is specified for control connection, FT_FTP_DATA filter buffers the packets and indicates full transmitted content as OT_FTP_DATA_(INCOMING|OUTGOING) object.

The data connection closes after transmitting the full content. Also FTP client can abort the data transfer and close data connection before the transmission completes. It is possible to monitor the control connection for ABORT command and bad response codes to make sure that the content is transmitted in full.

References:

RFCs related to FTP protocol specification:
http://www.faqs.org/rfcs/rfc959.html
http://www.faqs.org/rfcs/rfc2428.html
http://www.faqs.org/rfcs/rfc2228.html
http://www.faqs.org/rfcs/rfc2640.html