PF Firewall Open FTP Port 21 (PASSIVE Configuration)

Question: I’ve vsftpd ftp server configured under FreeBSD 7.x and PF firewall. Both PF and FTP server running on a dedicated FreeBSD web server. How do I configure PASSIVE FTP PF firewall configuration so that my vsftpd work? How do I configure PF firewall to protect an FTP server and open port 21?

Answer: You can easily open port with PF firewall. However, you need to make few changes to VSFTPD server itself. When servicing a passive FTP connection, FTP will use a randomly chosen, high TCP port for incoming data. Open vsftpd.conf file:
# vi /usr/local/etc/vsftpd.conf
Append following two config directive to setup ftp port ranges:
pasv_min_port=49152
pasv_max_port=65535
Save and close the file. Restart vsftpd:
# /usr/local/etc/rc.d/vsftpd restart

PF firewall configuration – Open port 21

Open pf.conf file:
# vi /etc/pf.conf
Append following two rules (202.54.1.2 is FTP server IP address):
pass in on $ext_if proto tcp from any to 202.54.1.2 port 21 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to 202.54.1.2 port > 49151 keep state

Make sure outgoing connection tracking also exists:
# keep stats of outgoing connections
pass out keep state
Save and close the file. Reload PF firewall:
# /etc/rc.d/pf reload