My Working FTP Setup for FTP and SFTP and FTPES
-
So I have tested this for:
FTP
FTP Passive
SFTP
FTPES
FTPS (this is implicit ftp on port 990 and my vsftp server is set to port 21)My Setup:
Internet–-------Virtual IP(pfsense 1.2.1)DMZ---------FTP Server(vsftpd)
Enable FTP Helper:
WAN Enable FTP Helper
DMZ Enable FTP HelperNAT:
If Proto Ext. port range NAT IP Int. port range Description
WAN TCP ftp_server_access ftp_server ftp_server_access FTP Access to the ftp server
(ex.XXX.XXX.XXX.XXX)WAN Rules:
Proto Source Port Destination Port Gateway Description
TCP * * ftp_server ftp_server_access * NAT FTP Access to the ftp serverAliases:
Name Values Description
ftp_server 192.168.0.101 ftp server
ftp_server_access 21, 22, 20, 12000:12100 Access for ftp serverTo help chroot SSH users I also installed http://chrootssh.sourceforge.net/
This prevents access to the entire file system on the server.
Leaves SFTP access to the intended directory.Here is my vsftpd.conf file:
ftp_username=root
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022pasv_address= "YOUR EXTERNAL IP ADDRESS HERE"
dirmessage_enable=YESxferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120#Welcome Banner
ftpd_banner=Welcome to FTP service.
deny_email_enable=NO
chroot_local_user=YESusers to NOT chroot().
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd
#Authentication is done through PAM to ISP config
pam_service_name=vsftpd
#This hides the .filenames in the folders
force_dot_files=NO
#Enable SSL, a very good thing
ssl_enable=YES
allow_anon_ssl=NO#Set up for SSL access connections
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key#Have to leave these as NO so that the web-ftp in ispconfig can access ftp folders
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YESFilezilla uses port 21 if you don't set any port
in Servertype "FTPES - FTP over explicit TLS/SSL"
Port 990 is the default used for FTPS protocol.
Uncomment it if you want/have to use port 990.
#Since I can only use either 21 or 990 I will use port 21.
#I used a port forward on my firewall to match port 990 --> port 21#listen_port=990
#I didn't use pasv becuase I only want people to use SFTP or FTPS.
#I only need FTP for the ISPConfig web interface which is on the local server.
#I should set up a rule to only allow local listening for FTP unsecure.pasv_min_port=12000
pasv_max_port=12100 -
1. pfSense and FTP Passive ftp using these suggestion you mentioned with NAT and rules
2. change the settings of your ftp server to actually use PASSIVE setting (consult your ftp server vendor's manual - in my case G6ftp)Thanks to bits and pieces everywhere on these forums, PASSIVE is Now working
NOTE: From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!