My Working FTP Setup for FTP and SFTP and FTPES

newmember

So I have tested this for:

FTP
FTP Passive
SFTP
FTPES
FTPS  (this is implicit ftp on port 990 and my vsftp server is set to port 21)

My Setup:

Internet–-------Virtual IP(pfsense 1.2.1)DMZ---------FTP Server(vsftpd)

Enable FTP Helper:
WAN Enable FTP Helper
DMZ Enable FTP Helper

NAT:
If          Proto  Ext. port range        NAT IP    Int. port range    Description
WAN  TCP  ftp_server_access    ftp_server  ftp_server_access  FTP Access to the ftp server 
        (ex.XXX.XXX.XXX.XXX)

WAN Rules:
Proto  Source  Port  Destination  Port                    Gateway  Description 
TCP    *    *  ftp_server    ftp_server_access  *  NAT FTP Access to the ftp server

Aliases:
Name      Values          Description
ftp_server      192.168.0.101        ftp server
ftp_server_access  21, 22, 20, 12000:12100    Access for ftp server

To help chroot SSH users I also installed http://chrootssh.sourceforge.net/
This prevents access to the entire file system on the server.
Leaves SFTP access to the intended directory.

Here is my vsftpd.conf file:

ftp_username=root

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022

pasv_address= "YOUR EXTERNAL IP ADDRESS HERE"
dirmessage_enable=YES

xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120

#Welcome Banner

ftpd_banner=Welcome to FTP service.
deny_email_enable=NO
chroot_local_user=YES

users to NOT chroot().

chroot_list_enable=NO

secure_chroot_dir=/var/run/vsftpd

#Authentication is done through PAM to ISP config

pam_service_name=vsftpd

#This hides the .filenames in the folders

force_dot_files=NO

#Enable SSL, a very good thing

ssl_enable=YES
allow_anon_ssl=NO

#Set up for SSL access connections

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

#Have to leave these as NO so that the web-ftp in ispconfig can access ftp folders

force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

Filezilla uses port 21 if you don't set any port

in Servertype "FTPES - FTP over explicit TLS/SSL"

Port 990 is the default used for FTPS protocol.

Uncomment it if you want/have to use port 990.

#Since I can only use either 21 or 990 I will use port 21.
#I used a port forward on my firewall to match port 990 --> port 21

#listen_port=990

#I didn't use pasv becuase I only want people to use SFTP or FTPS.
#I only need FTP for the ISPConfig web interface which is on the local server.
#I should set up a rule to only allow local listening for FTP unsecure.

pasv_min_port=12000
pasv_max_port=12100

scottnguyen

1.  pfSense and FTP Passive ftp using these suggestion you mentioned with NAT and rules
2.  change the settings of your ftp server to actually use PASSIVE setting (consult your ftp server vendor's manual - in my case G6ftp)

Thanks to bits and pieces everywhere on these forums, PASSIVE is Now working

NOTE:  From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!