FTP Behind a Firewall

Making the ports predictable

When you are forwarding ports, either locally or at at boarder firewall, you need to make the high-level data ports predictable. This is usually a FTP command that limits their scope to a range of IP (see the pure-ftpd config)

Configure your Firewall (using UFW)

To support both Active - Active and Active  - Passive client connections (think client - server technology. e.g. the client is active, server is passive) You need to forward though that range of ports you set above. The example below is for UFW and pure-ftpd. 

Commands:

cd /etc/ufw/applications.d
sudo touch pure-ftpd
sudo vi pure-ftpd

Content of the pure-ftpd file

[pure-ftpd]
title=pure-ftpd
description=Simple FTP and FTPS Server
ports=21,4500:4600/tcp


Enabling the new application profile

sudo ufw delete allow from 132.235.0.0/16 to any app pure-ftpd

Testing

You can do a before and after to see if the rule is in place

sudo iptables -L > ~/before

...ufw command

sudo iptables -L > ~/before
Comments