Home » Blogs » sandip's blog

Configure passive ports range for ProFTPd

Submitted by sandip on Fri, 06/12/2009 - 14:23

Usually, if a client is behind firewall, they can only trasfer files via a passive ftp connection.

Edit /etc/proftpd.conf and specify the passive ports range. Place it in the 'Global' container:

</Global>
...
...
# Use the IANA registered ephemeral port range
PassivePorts 49152 65534
</Global>

Reference: proftpd.org

Load the ip_conntrack_ftp module and iptables rules, so the ports automatically open to the connected client:

# /sbin/modprobe ip_conntrack_ftp
#  lsmod | grep conntrack_ftp
ip_conntrack_ftp       41489  0
ip_conntrack           91237  4 xt_state,xt_conntrack,ip_conntrack_ftp,ip_conntrack_irc

Add the below iptables rules:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If the server is beind NAT, ip_nat_ftp module also should be loaded:

# /sbin/modprobe ip_nat_ftp

Bookmark/Search this post with
  • del.icio.us
  • Digg
  • Facebook
  • identi.ca
  • LinkedIn
  • SlashDot
  • StumbleUpon
  • Technorati
  • Twitter
»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

conntrack and ftps

Submitted by sandip on Tue, 09/14/2010 - 12:19.

Connection tracking will not work with secure ftp protocol using TLS/SSL and the specific passive ports will need to be opened at the firewall.

»
Comment