Running an FTP Server

This section describes active FTP and passive FTP server setup.

Active FTP

FTP Server	Direction of Connection Initiated	FTP Client
port 21 control port	<----------------	any port 1024 or higher
port 20 data port	---------------->	any port 1024 or higher

On an FTP server using active FTP, configure IPFilter rules to allow control connections in and data connections out.

For example:

pass in quick proto tcp from any port > 1023 to <server-ip> port = 21 flags S  keep state 
pass out quick proto tcp from any port = 20 to any  port > 1023 flags S keep state
block in  from any to any 
block out from any to any

Passive FTP

FTP Server	Direction of Connection Initiated	FTP Client
port 21 control port	<----------------	any port 1024 or higher
any port 1024 or higher data port	<----------------	any port 1024 or higher

To use IPFilter to protect passive FTP sessions, you must limit the port range your system can use for FTP access. For example, you can allocate ports 15001-15500 as FTP ports and only open up that range of your firewall. In WU-FTPD, you use the passive ports directive in the /etc/ftpaccess configuration file to designate the ports, as follows:

passive ports <server-ip> 15001 15500

Refer to the ftpaccess(4) manpage for details on WU-FTPD configuration.

Configure the following IPFilter rules to let the passive FTP traffic pass:

pass in quick proto tcp from any port > 1023 to <server-ip> port = 21 flags S keep state 
pass in quick proto tcp from any port > 1023 to <server-ip> port 15000 ><15501 flags S keep state 
block in  from any to any 
block out from any to any

Running an FTP Server

Technical documentation

» Table of Contents

» Index

Active FTP

Passive FTP