Introduction:
So you installed a firewall, but it seems to have crippled passive ftp connections. Your clients are complaining of timeouts and lagging performance of the FTP server. All these are signs that you did not configure your firewall and FTP server properly for passive FTP connections.
This how-to will try to explain everything in a manner that even if you are not using the mentioned software, you still will have an understanding of what you must do. This how-to will cover the following setup:
Firewall: APF
FTP Server: Pure-FTPD
What is a Passive FTP Connection?
When a client connects to a FTP server and requires the transfer of a file or data, he must initiate another connection. A passive FTP connection is where the client connects to the server instead of the server connecting to him. This is necessary when the client is hidden behind a firewall or router of some sort and is unable to forward the correct ports to his machine.
What happens when the server is behind a firewall as well?
Since the client must connect to the server, there must exist an accessible port for the client to use other than port 21. The FTP server will generally choose a random port within a certain range to use and tell the client to connect to, but when the firewall is setup to block this port, the connection can not be made and the client times out.
So what can we do about this?
The firewall can be configured to leave a certain port range open for the FTP server. Then the FTP server must be configured to know which ports to use, this range is often refered to as the 'passive port range'.
Setting up the firewall: (APF Firewall) 1. Open your APF configuration file with your favorite editor. This configuration file is usually located at: /etc/apf/conf.apf
Ie.
vi /etc/apf/conf.apf
2. Select a port range to use for the passive FTP connection, and find the line that looks like this:
IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443,
465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306"
If this list of ports already includes a port range above 20000, then you can skip onto configuring your FTP Server, but remeber the range listed. (20000 to 30000 would be written as 20000_30000)
3. Add the port range to the end of the line and within the quotation marks("). Remeber each port/port range is seperated by a comman(,), and a port range between 35000 to 36000 is written as 35000_36000 .
Ie.
IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443,
465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306,
35000_36000"
3. Save and restart your firewall.
To restart your firewall:
/etc/init.d/apf restart
Setting up the FTP Server (Pure-FTPD):
There are two different config files your server may use. If you are using CPanel, then most likely it is located here:
/etc/sysconfig/pure-ftpd
If you are unable to find that file, or if your FTP Server is setup to read a conf file, then most likely it is located here:
/etc/pure-ftpd.conf
Using: /etc/sysconfig/pure-ftpd
Look for a line containing: -p or --passiveportrange
If you do find it and it has been commented out with a '#' character then remove the '#' character in front of it.
Now just check that the port range listed is correct. Remeber, port ranges listed here have a ':' character between the numbers, while APF has a '_' character.
Ie. (if the port range is 35000 to 36000 and appears as 35000_36000 in the APF config file then it should look like this)
--passiveportrange 35000:36000
or
-p 35000:36000
If you do not find it, then go to the end of the file, and add:
--passiveportrange
followed by the port range you had in the APF firewall config file, except replace the '_' character with a ':'.
So if the port range is 35000 to 36000 and appears as 35000_36000 in the APF config file, then you want to add 35000:36000.
Ie. (port range from 35000 to 36000)
--passiveportrange 35000:36000
When done, save the file and restart your FTP server.
Ie.
/etc/init.d/pure-ftpd restart
Using: /etc/pure-ftpd.conf
Look for a line containing: PassivePortRange
Ex.
# Port range for passive connections replies. - for firewalling.
#PassivePortRange 30000 40000
If there is a leading '#' character, remove it.
If the port range is incorrect, change it. The port range here has an actual space between the numbers, not a '_' character.
Ie. (previous example becomes this)
# Port range for passive connections replies. - for firewalling.
PassivePortRange 35000 36000
Now save the file and restart your FTP server.
Ie.
/etc/init.d/pure-ftpd restart