So you've raised your firewall high and wide in order to keep nasties away from your users. You walk proud and smile to yourself thinking that you are doing a great job protecting your users. But suddenly your users are not happy. Why? They complain that many download links they used to transfer software or documents, especially via FTP, don't work anymore. Something's wrong with the network. Could you fix it? Pronto!
What's wrong? Why some of the downloads are working while others are not? Well, it is true that the problem lies in the firewall configuration that prevents the FTP server from establishing a connection to the client machine, and you could fix it in about 15 minutes by installing FTP proxy. But that adds yet another piece of software to configure and watch for bugs and updates. You may not want to do it thinking (quite rightly) that adding yet another link to the overall security chain adds to its complexity, which is turn lowers the level of protection of your network. Also, the proxy will not solve all problems with tricky downloads, and your users will still be blaming you even though it's not your fault.
Instead of messing with your firewall configuration, try a different approach. Educate users how to download files using better tools than web browsers. You could organize tutorial sessions for them, but if you are short of time, you can just as well create a support page that explains this in detail. You do have an internal web server for publishing announcements and other internal publications, don't you? This article should be enough to get you going. If you are really too busy to write such tutorials yourself, you can always link to this article.
Also in Securing Small Networks with OpenBSD:
If your users are not afraid of the command line, you could teach them
how to download files using
curl. All of these tools are either installed with the
system or available at no charge. But, most importantly, all of these
tools are far more powerful than any GUI application.
My own experience shows that by far the easiest command-line
application that downloads files which are impossible to download using a
web browser is
curl. The reason for this is quite simple; in
its default configuration,
curl works in passive mode which
does not conflict with firewalls. Therefore, if you want to have peace of
mind, and not keep on answering user's questions, show them how to use
this tool. And teaching someone to use it is very easy. All a user needs
to do is open the terminal window, type
curl -LO, paste the
URL to the file (copied by right-clicking or Ctrl-clicking and choosing
"Copy Link to Clipboard"), and hit Return.
Mac OS X users are the administrator's dream in that respect, because
the system comes with
curl pre-installed. All they need to do
is start the Terminal application (Macintosh
curl and paste
the link to the file they want to retrieve, like this:
[localhost:~] mox% curl -LO ftp://ftp.foo.bar/pub/macosx/p01.hqx
-L option tells
curl to follow links when
the original link does not point directly to the file and the
-O option instructs
curl to save the downloaded
file under the same name it has on the remote server.
Users of Linux or *BSD systems can install cURL using an appropriate package manager, and users of Microsoft Windows can get cURL binaries from the project's home page.
Another favorite is
wget, whose main application is
mirroring web sites. It can be just as well used to download single
wget is similar to using
wget, paste the link to the file, and hit Return:
$ wget http://www.foo.bar/files/macosx/p01.hqx
Care must be taken when downloading files from ftp servers. In such
cases, your users must add the
--passive-ftp option, as
$ wget --passive-ftp ftp://ftp.foo.bar/pub/macosx/p01.hqx
wget utility is available for all operating systems,
and users of Linux or *BSD systems can install it using an appropriate
package manager. Users of Microsoft Windows can get
binaries from this
If your users like the standard ftp command, you only need to tell them to
$ ftp ftp> passive Passive mode: off; fallback to active mode: off. ftp> open ftp.ora.com Connected to ftp.ora.com. 220 ProFTPD 1.2.5 Server (O'Reilly FTP Server) [tornado.east.ora.com] Name (ftp.ora.com:mox): ...
If you're blessed (or cursed?) with managing users who do not want to learn command-line tools, you can always let them install a download manager and an FTP utility. Make sure you point them to one of each from your intranet support page. (If you give users more choice, you will be busy supporting several programs: you do not want that.) Create a simple tutorial page that teaches them how to configure such software -- use screenshots -- and how to set FTP into passive mode. I recommend that you tell people to install a good FTP client alongside a download manager, because FTP clients are more flexible. For example, users can browse local and remotes filesystem, and can upload files, which is not possible with download managers.
Don't forget about licensing. If your budget is low, try freeware solutions, otherwise check if there are shareware solutions available whose authors offers reasonable site licenses (always less expensive than multiple single-user licenses).
You can learn more about FTP and why your firewall interferes with it from TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens and from RFC 959.
Until next time...
Copyright © 2009 O'Reilly Media, Inc.