• I realize this is probably been covered but during my search I never found the actual step by step process for setting up FTP rules thru a pfsense firewall.
    Let me start: I have set up a ftp server on a Windows 2008 r2 server that works fine on my lan.
    I am running pfsense 1.2.3. (I know that is one of my problems, there is a newer version and I should upgrade. I will think about that tomorrow once I get people off my back about the problem today) I have created a rule allowing port 21 and I have created a NAT to my inside machine. I can login and connect but I cannot do anything else. If I try to browse the folder or anything I get a message that an error occurred opening that folder on the FTP server. Make sure you have permission to access that folder. Details: the connection with the server was reset..
    It is probably something I am totally overlooking but if someone has a step by step that any semi-literate person could follow would be a great help.

    Thanks in advance.

  • LAYER 8 Global Moderator

    And are you doing a active or passive connection to your ftp server from outside?

    You really need to understand the basics of ftp if you want to get it to work through a natting firewall

    Here is a great write up on active vs passive ftp


    21 is just the control channel, data like a dir listing actual transfer of a file would be using the data channel..  read the above link to understand how the data channel is different between a active or passive connection.

  • It should only be passive as this is just going to be a file repository so as to move files from point a to point b.
    Everything I working fine behind the firewall and ordinarily I say done but we have some people who say they need access from the outside to move graphics and data.
    I have created a rule opening ports 20 and 21 but when I try to connect from the outside, I keep getting connection reset error.
    Any suggestions would be greatly appreciated.

  • LAYER 8 Global Moderator

    You DON"T need a 20 rule – did you even read the article?

    And are you connecting active or passive from the outside - what client are you using, this determines if your opening up a active or passive data channel.

  • I know you want FTP, but as you are discovering, this protocol has problems with NAT. If both the server and client are behind a NAT then it may never work without a helper proxy somewhere.

    All these problems can be avoided with SFTP which requires only one TCP port and is immune to problems with NAT. It just works. It's also secure.

  • LAYER 8 Global Moderator

    ^ agree I would never open up ftp into my network.  Unless it was just pure anonymous read access to grab files I wanted the public to have.  If I wanted security way to access files then I would use sftp.

    But on the other hand opening up ftp is not all that difficult..  You normally should only have to forward 21 and the helper in pfsense should work for you.  Literally it should take you 1 click to do the port forward and you should be good.

    But sure with nat on both ends, sometimes multiple nats with users at their homes that don't know any better, the protocol can have issues - especially when the person trying to host it doesn't really understand how it works in the first place ;)

  • Freely available SSH server and client software (that also handle SFTP) have effectively deprecated FTP, and solve any and all NAT difficulties commonly encountered with FTP. I can't think of any reasonable excuse not to run SSH/SFTP.

  • LAYER 8 Global Moderator

    While I agree - if the purpose of the server is to distribute files to anon users, then ssh would not be a good choice.

    But sure if your going to require auth, then I can see no reason not to use sftp over ftp.  It does make getting through nats much easier ;)

  • Users would have to be told somehow that what they are looking for is on some FTP server with anonymous access.

    There is no reason they could not be told that what they are looking for is on an SFTP server with the username/password specified in the same message.

    Also, many SSH implementations allow for pre-login banner customization where the login credentials for anonymous SFTP access can be provided. See:


  • LAYER 8 Global Moderator

    ^ while true, would require the user that wants to access said file to have sftp client.  If using ftp to distribute files, all that is required is simple url, that any browser can access without the user doing or knowing anything or having to put in any credentials.

    and could be just the simple link in a website, user would really not even know if the file was being accessed via ftp or http, etc.

    I hear you, and I too agree ftp is very near the end of usefulness, if i needed to distribute anon files I would do via http most likely vs using ftp.  If I needed to control access, then I would use sftp or http site requiring auth to make it easier for users that don't have sftp client or to be honest are just your typical stupid users..  There is no possible way you could get my wife to figure out how to access a sftp site on a machine without client..  Just not going to happen no matter how easy you think you make it with giving out credentials in a banner - for starters she would have to see the banner with the credentials ;)  How is she going to see that in a default windows os?

  • If everything everywhere was restricted to be compatible with the capabilities of the least common denominator user there would be no progress or advancement in anything because none would be needed.

  • LAYER 8 Global Moderator

    I hear ya ;)  You could make the argument that people too stupid to use sftp don't need my file in the first place..  Guess it depends on the makeup of your target audience.