FTP Behind a Firewall

Making the ports predictable

When you are forwarding ports, either locally or at at boarder firewall, you need to make the high-level data ports predictable. This is usually a FTP command that limits their scope to a range of IP (see the pure-ftpd config)

Configure your Firewall (using UFW)

To support both Active - Active and Active  - Passive client connections (think client - server technology. e.g. the client is active, server is passive) You need to forward though that range of ports you set above. The example below is for UFW and pure-ftpd. 


cd /etc/ufw/applications.d
sudo touch pure-ftpd
sudo vi pure-ftpd

Content of the pure-ftpd file

description=Simple FTP and FTPS Server

Enabling the new application profile

sudo ufw delete allow from to any app pure-ftpd


You can do a before and after to see if the rule is in place

sudo iptables -L > ~/before

...ufw command

sudo iptables -L > ~/before