FTP Firewall Fix

My IPv6 FTP server was easy to access from within my LAN, but after I got to work, I realized I couldn’t complete a transfer, even in passive mode. In passive mode, the client must be able to initiate a command connection on port 21, but also it must be able to initiative a data connection on some other random unprivileged port. I opened up port 21 of course, but my firewall was blocking all the other ports.

So, I needed to open up some unprivileged ports, but which ones. I suppose I could open up all of them, but that seemed excessive. I believed 1000 ports would be enough. So, in /etc/vsftpd.conf on the ftp server, I set a passive port range of between 10000 and 11000:

pasv_min_port=10000
pasv_max_port=11000

Then I created a rule in the libreCMC firewall router, to allow access to these ports for traffic heading to the FTP server.

Screenshot from 2018-04-23 19-04-48.png

I was confused at first about how to create a rule with a port range rather than just a single port. But it is as simple as putting a range (e.g., 10000-11000) into the port field.

So, now my FTP server is accessible from the Internet in PASV (passive) mode, though still only through IPv6:

ftp://lavender.qlfiles.net or

ftpes://lavender.qlfiles.net (encrypted, through FileZilla).

For a good read on Active vs. Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s