NFTP behind the firewall

NFTP can be used if your machine is located behind a firewall (for brevity, ordinary proxies such as Squid will be called firewalls too). There are several kinds of firewalls (and may be even other types not documented here). Unfortunately, I cannot test NFTP with all types of firewalls because I don't have them all. So I have to rely on independent testers. If NFTP does not work with your firewall software, please contact me and I will try to fix the situation. I would also appreciate your report about whether NFTP works with your firewall, how your firewall software is called and to what type it belongs.

To configure NFTP to be used through firewall, decide what type your firewall is (see below), and then edit NFTP.INI setting appropriate variables in the [firewalling] section:

VariableValue
firewall-type Put here a type of firewall (number) as described above. 0 means no firewalling support and is the default. If you aren't sure, try everything from 1 to 4 and see if that works.
firewall-host This is the name of your firewall machine
firewall-login This is your login on the firewall. Only needed for types 1 and 2
firewall-password Your password on the firewall. Only needed for types 1 and 2. Please be careful; put your password here only when absolutely sure that no one other than you can look at this file.
firewall-port The firewall port to connect to. Usually not needed (i.e. default value of 21 is used); your local administrator will tell you if you need it
use-PASV-mode This setting is used with router-based firewalls; it forces NFTP into passive mode. The default mode of establishing data connection (also called PORT mode) assumes that connection is made from server to client. Sometimes this way is not allowed due to security reasons and use of passive mode is required. Passive mode means that data connection is established by client, not server. Typically it has no effect on FTP features or performance; in the past there were some FTP servers which did not work in passive mode or handled it poorly, but virtually any modern FTP server implementation works fine in passive mode. Sometimes you would need to switch it on together with another firewall support: e.g., if you are connected to the Internet via WinGate (firewall type=3) and your proxy machine (which runs WinGate) is connected via Slirp (which is also a proxy), you'll need to set firewall-type=3 and use-PASV-mode=yes
fwbug1 There exist a firewall which is of type 3 but does not want USER keyword on login. Set fwbug1 to "yes" for it

Starting with version 1.51, firewall support can be switched on/off on-the-fly. For example, you can browse remote site directly, then switch on Squid proxy and start a long download via it (browsing via Squid is slower than working directly because Squid will establish new connection for every directory listing). You can't configure several firewalls at once; NFTP supports only one firewall at a time (or no firewalls at all). However, you can turn on passive mode together with enabling firewall of type 1-4.

Starting with version 1.60 (not available yet), passive mode is set via "Options|Passive mode" menu entry. Therefore you can turn it on/off on-the-fly, without editing nftp.ini. use-PASV-mode is now obsolete and does not work.

Below are firewall types supported by NFTP and configuration-specific notes.

1. SITE hostname

Firewall host, userid and password are required. User is logged on the firewall and the remote connection is established using
SITE remote_host

2. USER after logon

Firewall host, userid and password are required. User is logged on the firewall and the remote connection is established using
USER remote_userid@remote_host

3. USER with no logon

Firewall host required, userid and password are not needed.
USER remote_userid@remote_host
is sent to firewall upon initial connection. This is quite popular type of firewall (examples are DeleGate, WinGate, IGate)

4. Proxy OPEN

Firewall host required, userid and password are ignored.
OPEN remote_host
is sent to firewall upon initial connection.

5. HTTP proxy (Squid)

Currently, only Squid and Netscape SuiteSpot server are supported. You have to specify `firewall-host' and port (typically 3128 for Squid). Both Squid 1.x and 2.x are supported; my tests were done on 1.1.22 and 2.1-RELEASE. For best results it is recommended (but of course not necessary) to apply a patch to Squid sources before compiling it. The patch is available from ftp://ftp.ayukov.com/pub/nftp; instructions are inside. It will force Squid to report file size in bytes for NFTP instead of kilobytes; this makes file sizes in NFTP precise instead of rounded. Restarting transfers through Squid is not yet supported, and some features are not available via Squid; these include making directories, renaming and deleting files. Uploading and authentication are supported since NFTP version 1.60. All transfers are made in binary mode. With Squid, there's no such thing as 'permanent connection to server', and you can't verify connection aliveness or send verbatim commands to server.

6. Check Point FireWall-1 Secure FTP server

The connection is made by sending
USER remote_userid@firewall_userid@remote_host
PASS remote_password@firewall_password

Working through SOCKS

NFTP does not yet have built-in SOCKS. On OS/2, you can use system-wide SOCKS support which is available since OS/2 version 4.0. Set it up in TCP/IP configuration notebook and NFTP will automagically work with it. Under Windows, SocksCap is reported to work fine as system-wide SOCKS layer. Another free SOCKS package is available from Hummingbird. Under Unix and BeOS, SOCKS is not yet supported. It have been reported that runsocks (Unix SOCKSifier) works with NFTP.
NFTP home page // Send comment