# IPFW and FTP



## carlhako (Mar 27, 2012)

Hi

I have a VPS configured running a fairly simple configuration. Web, SSH and FTP access. SSH and HTTP access is fine I am just having alot of trouble with FTP. It will connect but fails the connection when requesting a list of file. From what I read on the ftp protocol it appears to be the second connection that is failing, which is outbound tcp port 20 destination port random. Rule 400 should allow this?

I know the firewall is working as SSH and HTTP did not work until I added the rules in. Also before enabling the firewall I had the server totally open at which time FTP worked fine.

Here is my current IPFW configuration script.


```
#!/bin/sh

ipfw -q flush

cmd="ipfw -q add"

$cmd 00100 allow tcp from any to me 22 in setup keep-state
$cmd 00200 allow tcp from any to me 80 in setup keep-state
$cmd 00300 allow tcp from any to me 21 in keep-state
$cmd 00400 allow tcp from any to any out keep-state
$cmd 00500 allow udp from any to any out keep-state
```


and what I have in /etc/rc.conf regarding firewall:

```
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.config"
```

*R*unning 8.2-RELEASE generic kernel.

The other thing I might add is I use ftp for ease of remote developing. Notepad++ has a built in ftp addon which works quite well.


----------



## SirDice (Mar 27, 2012)

carlhako said:
			
		

> I have a VPS configured running a fairly simple configuration. Web, SSH and FTP access. SSH and HTTP access is fine I am just having alot of trouble with FTP. It will connect but fails the connection when requesting a list of file.


There's a difference between active and passive FTP, i.e. which side opens the data connection. Problems arise when both the server and the client are firewalled.

http://slacksite.com/other/ftp.html


----------



## carlhako (Mar 27, 2012)

Trying to use Passive. 

I just worked out the same plugin support SFTP which works fine over default setup of openssh. Although it would not work with password I had to generate a sep*a*rate RSA private key which seems to be working ok. It*'*s a little slower than FTP but that*'*s one less port I need to open up and fewer services to run.

Hope this helps someone else with a similar issue. Don*'*t worry about FTP.


----------

