FirewallD And FTP Passive Mode
Howdy
I’m trying to run FTP server behind firewall. And i can’t enable passive mode from the Internet. There are plenty howtos but there aren’t many with my combination.
For now i have configured port forwarding and ftp server itself.
On the router:
# firewall-cmd –list-all –zone=external external (active)
interfaces: enp3s1
sources:
services: openvpn ssh
ports: 1194/tcp 2666/tcp 88/tcp
masquerade: yes
forward-ports: port!:proto=tcp:toport=:toaddr.0.32.7
port090-10100:proto=tcp:toport=:toaddr.0.32.7
port
3 thoughts on - FirewallD And FTP Passive Mode
Yes, it should. Are you using FTPS (FTP with TLS)?
You probably need to set the pasv_address option.
Although of course FTPS (FTP over SSL) breaks the snooping required for the related conntracking which makes firewall configuration hell.
Do yourself a favour and drop FTP, switching over to SFTP instead as that’s far easier to secure and you only have to care about the single TCP port for firewalls.
Do you have pasv_addr set to the hostname of the server?
pasv_address
Use this option to override the IP address that vsftpd will advertise in response to
the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled,
in which case you can provide a hostname which will be DNS resolved for you at
startup.
Default: (none – the address is taken from the incoming connected socket)