FirewallD And FTP Passive Mode

Home » CentOS » FirewallD And FTP Passive Mode
CentOS 3 Comments

Howdy

I’m trying to run FTP server behind firewall. And i can’t enable passive mode from the Internet. There are plenty howtos but there aren’t many with my combination.

For now i have configured port forwarding and ftp server itself.

On the router:
# firewall-cmd –list-all –zone=external external (active)
interfaces: enp3s1
sources:
services: openvpn ssh
ports: 1194/tcp 2666/tcp 88/tcp
masquerade: yes
forward-ports: port!:proto=tcp:toport=:toaddr.0.32.7
port090-10100:proto=tcp:toport=:toaddr.0.32.7
port

3 thoughts on - FirewallD And FTP Passive Mode

  • Yes, it should. Are you using FTPS (FTP with TLS)?

    You probably need to set the pasv_address option.

  • Although of course FTPS (FTP over SSL) breaks the snooping required for the related conntracking which makes firewall configuration hell.

    Do yourself a favour and drop FTP, switching over to SFTP instead as that’s far easier to secure and you only have to care about the single TCP port for firewalls.

  • Do you have pasv_addr set to the hostname of the server?
    pasv_address
    Use this option to override the IP address that vsftpd will advertise in response to
    the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled,
    in which case you can provide a hostname which will be DNS resolved for you at
    startup.

    Default: (none – the address is taken from the incoming connected socket)