My Working FTP Setup for FTP and SFTP and FTPES



  • So I have tested this for:

    FTP
    FTP Passive
    SFTP
    FTPES
    FTPS  (this is implicit ftp on port 990 and my vsftp server is set to port 21)

    My Setup:

    Internet–-------Virtual IP(pfsense 1.2.1)DMZ---------FTP Server(vsftpd)

    Enable FTP Helper:
    WAN Enable FTP Helper
    DMZ Enable FTP Helper

    NAT:
    If          Proto  Ext. port range        NAT IP    Int. port range    Description
    WAN  TCP  ftp_server_access    ftp_server  ftp_server_access  FTP Access to the ftp server 
            (ex.XXX.XXX.XXX.XXX)

    WAN Rules:
    Proto  Source  Port  Destination  Port                    Gateway  Description 
    TCP    *    *  ftp_server    ftp_server_access  *  NAT FTP Access to the ftp server

    Aliases:
    Name      Values          Description
    ftp_server      192.168.0.101        ftp server
    ftp_server_access  21, 22, 20, 12000:12100    Access for ftp server

    To help chroot SSH users I also installed http://chrootssh.sourceforge.net/
    This prevents access to the entire file system on the server.
    Leaves SFTP access to the intended directory.

    Here is my vsftpd.conf file:

    ftp_username=root

    listen=YES
    listen_ipv6=NO
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022

    pasv_address= "YOUR EXTERNAL IP ADDRESS HERE"
    dirmessage_enable=YES

    xferlog_enable=YES
    connect_from_port_20=YES
    idle_session_timeout=600
    data_connection_timeout=120

    #Welcome Banner

    ftpd_banner=Welcome to FTP service.
    deny_email_enable=NO
    chroot_local_user=YES

    users to NOT chroot().

    chroot_list_enable=NO

    secure_chroot_dir=/var/run/vsftpd

    #Authentication is done through PAM to ISP config

    pam_service_name=vsftpd

    #This hides the .filenames in the folders

    force_dot_files=NO

    #Enable SSL, a very good thing

    ssl_enable=YES
    allow_anon_ssl=NO

    #Set up for SSL access connections

    rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

    #Have to leave these as NO so that the web-ftp in ispconfig can access ftp folders

    force_local_data_ssl=NO
    force_local_logins_ssl=NO
    ssl_tlsv1=YES
    ssl_sslv2=YES
    ssl_sslv3=YES

    Filezilla uses port 21 if you don't set any port

    in Servertype "FTPES - FTP over explicit TLS/SSL"

    Port 990 is the default used for FTPS protocol.

    Uncomment it if you want/have to use port 990.

    #Since I can only use either 21 or 990 I will use port 21.
    #I used a port forward on my firewall to match port 990 --> port 21

    #listen_port=990

    #I didn't use pasv becuase I only want people to use SFTP or FTPS.
    #I only need FTP for the ISPConfig web interface which is on the local server.
    #I should set up a rule to only allow local listening for FTP unsecure.

    pasv_min_port=12000
    pasv_max_port=12100



  • 1.  pfSense and FTP Passive ftp using these suggestion you mentioned with NAT and rules
    2.  change the settings of your ftp server to actually use PASSIVE setting (consult your ftp server vendor's manual - in my case G6ftp)

    Thanks to bits and pieces everywhere on these forums, PASSIVE is Now working

    NOTE:  From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!


Locked