PF Firewall Open FTP Port 21 (PASSIVE Configuration)

Question: I’ve vsftpd ftp server configured under FreeBSD 7.x and PF firewall. Both PF and FTP server running on a dedicated FreeBSD web server. How do I configure PASSIVE FTP PF firewall configuration so that my vsftpd work? How do I configure PF firewall to protect an FTP server and open port 21?

Answer: You can easily open port with PF firewall. However, you need to make few changes to VSFTPD server itself. When servicing a passive FTP connection, FTP will use a randomly chosen, high TCP port for incoming data. Open vsftpd.conf file:
# vi /usr/local/etc/vsftpd.conf
Append following two config directive to setup ftp port ranges:
pasv_min_port=49152
pasv_max_port=65535

Save and close the file. Restart vsftpd:
# /usr/local/etc/rc.d/vsftpd restart

Advertisement

PF firewall configuration – Open port 21

Open pf.conf file:
# vi /etc/pf.conf
Append following two rules (202.54.1.2 is FTP server IP address):
pass in on $ext_if proto tcp from any to 202.54.1.2 port 21 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to 202.54.1.2 port > 49151 keep state

Make sure outgoing connection tracking also exists:
# keep stats of outgoing connections
pass out keep state

Save and close the file. Reload PF firewall:
# /etc/rc.d/pf reload

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

1 comment… add one
  • bastian Dec 8, 2010 @ 23:02

    How can i block port 22 to public and allow to specific ip address in pf firewall

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.