Vsftpd Set Download Only Anonymous Internet Server

This example shows how you might set up a large internet facing FTP site for distributing file or software updates. The emphasis will be on security and performance. VSFTPD will make sure only world-readable files and directories are served to the world via anonymous / ftp account. You force to originates FTP port connections from a secure port – so users on the FTP server cannot try and fake file content. You will hide the FTP server user IDs and just display ftp in directory listings. This is also a performance boost. Set a 40000-60000 port range for passive connections. This will help firewall setup.


  • The default port – 21 and 20
  • The default directory to upload your files – /var/ftp/pub for anonymous access. By default all users are chrooted to /var/ftp and they are not allowed to change the directory.
  • Anonymous login details – Use anonymous / anonymous or ftp / ftp as username / password combo.

FTP Server Configuration

Edit the vsftpd configuration file, enter:
# vi /etc/vsftpd/vsftpd.conf
Add or correct the following configuration option:
Only allow anonymous access ftp access:


Disable local users login to ftp server:


Disable upload files and writing permission on the FTP server:


Only allow file reading permission to the rest of the world:


Turn on log features

# Do not allow the use of "ls -R" to avoid consume a lot of resources

Set performance option:

# Uses one process per connection to gain performance.
# This is used to supports huge numbers of simultaneously connected users.
# The timeout, in seconds, which is the maximum time a remote client may spend
# between FTP commands.  If the timeout triggers, the remote client is kicked off.
# The timeout, in seconds, which is roughly the maximum time we permit data
# transfers to stall for with no progress.  If the timeout triggers, the remote client
# is kicked off.
# The timeout, in seconds, for a remote client to establish connection with
# a PASV style data connection.
# The timeout, in seconds, for a remote client to respond to our PORT
# style data connection.
# The maximum data transfer rate permitted, in bytes per second,
# for anonymous clients.

Restart the ftp server:
# service vsftpd restart

Sample Iptables Rules to Open Passive FTP Port Ranges

Add the following rules to your firewall shell script:

$IPT -I INPUT -m state --state NEW -j ACCEPT -p tcp -m multiport --ports 40000:60000

If you are using /etc/sysconfig/iptables, add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -j ACCEPT -p tcp -m multiport --ports 40000:60000

Save and close the file. Restart the firewall and vsftpd:
# service vsftpd restart
# service iptables restart

FTP Server Protected by an External *BSD PF Firewall Running NAT

In this case, the firewall must redirect traffic to the VSVTPD FTP server (running on RHEL) in addition to not blocking the required ports. In order to accomplish this, you need to use ftp-proxy.

ftp-proxy can be run in a mode that causes it to forward all FTP connections to a specific FTP server. Basically we’ll setup the proxy to listen on port 21 of the firewall and forward all connections to the back-end server.

Edit /etc/rc.conf.local (FreeBSD use should use /etc/rc.conf) and add the following:

ftpproxy_flags="-R -p 21 -b"


  • – the IP address of the actual RHEL VSFTPD FTP server.
  • 21 – the port we want ftp-proxy to listen on
  • – the address on the firewall that we want the proxy to bind to.

Next, pdate your /etc/pf.conf as follows:

ext_ip = ""
ftp_server_ip = ""
nat-anchor "ftp-proxy/*"
nat on $ext_if inet from $int_if -> ($ext_if)
rdr-anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp to $ext_ip port 21 flags S/SA keep state
pass out on $int_if inet proto tcp to $ftp_ip port 21 user proxy flags S/SA keep state anchor "ftp-proxy/*"

Restart pf firewall:
# pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • raju Jul 25, 2012 @ 9:14

    Instead of /var/ftp/pub, I want the user to traverse to another directory.

    1. I tried changing ftp user home directory in /etc/passwd
    2. Created usergroup ftpusers & gave permissions(chown,chmod) for the directory to be accessible by that group.
    Still it doesn’t work..

    Is it possible to make it work??

  • talha jilal Feb 13, 2014 @ 3:57

    You need change your selinux settings

    • Stome Feb 25, 2014 @ 3:23

      Dear Talha jilal,
      I have same problem as rajo too. I am a new linux system so what i change in selinux please?
      Stome, Cambodia

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum