PF Firewall Open FTP Port 21 (PASSIVE Configuration)

Question: I’ve vsftpd ftp server configured under FreeBSD 7.x and PF firewall. Both PF and FTP server running on a dedicated FreeBSD web server. How do I configure PASSIVE FTP PF firewall configuration so that my vsftpd work? How do I configure PF firewall to protect an FTP server and open port 21?

Answer: You can easily open port with PF firewall. However, you need to make few changes to VSFTPD server itself. When servicing a passive FTP connection, FTP will use a randomly chosen, high TCP port for incoming data. Open vsftpd.conf file:
# vi /usr/local/etc/vsftpd.conf
Append following two config directive to setup ftp port ranges:
pasv_min_port=49152
pasv_max_port=65535

Save and close the file. Restart vsftpd:
# /usr/local/etc/rc.d/vsftpd restart

PF firewall configuration – Open port 21

Open pf.conf file:
# vi /etc/pf.conf
Append following two rules (202.54.1.2 is FTP server IP address):
pass in on $ext_if proto tcp from any to 202.54.1.2 port 21 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to 202.54.1.2 port > 49151 keep state

Make sure outgoing connection tracking also exists:
# keep stats of outgoing connections
pass out keep state

Save and close the file. Reload PF firewall:
# /etc/rc.d/pf reload


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • bastian Dec 8, 2010 @ 23:02

    How can i block port 22 to public and allow to specific ip address in pf firewall

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum