Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Passive (PASV) port range in OS X Server (10.10) and port forwarding in pfSense

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EP1C-FIAL
      last edited by

      #Stop FTP Server
      sudo serveradmin stop ftp

      #Edit ftpd.conf - FTP Server config file
      sudo pico /Library/Server/FTP/Config/ftpd.conf

      #Add this line to ftpd.conf file
      portrange all min max

      #I used 51000 - 51100 so the full command looks like this
      portrange all 51000 51100

      #Output the file then hit return when prompted for the file name
      control-o
      return

      #Start FTP Server
      sudo serveradmin start ftp

      #FTP Port Forwarding in pfSense
      Firewall > NAT > Port Forward

      #Add port 21 (or 20-22 if you’re doing secure FTP - SFTP - I’ve not tested this)
      Disabled > unchecked
      No RDR > unchecked
      Interface > WAN
      Protocol > TCP
      Source > (not used)
      Destination > “not” is unchecked; Type is “WAN address”; Address is blank
      Destination port range > from: “FTP”; to: “FTP”; OR for SFTP: from: “(other)” “20”; to: “(other)" "22"
      Redirect target IP > (the ip of your internal server) in my case 10.0.1.10
      Redirect target port > FTP OR for SFTP: “(other)” “20” (it will figure out the rest of the range)
      Description > (up to you)
      No XMLRPC Sync > unchecked
      NAT reflection > Use system default
      Filter rule association > Rule NAT

      #Add port forwards for passive range to pfSense
      Disabled > unchecked
      No RDR > unchecked
      Interface > WAN
      Protocol > TCP
      Source > (not used)
      Destination > “not” is unchecked; Type is “WAN address”; Address is blank
      Destination port range >  from: “(other)” your choice I used “51000"; to: “(other)" your choice I used “51100"
      Redirect target IP > (the ip of your internal server) in my case 10.0.1.10
      Redirect target port > FTP OR for SFTP: “(other)” “51000” (it will figure out the rest of the range)
      Description > (up to you)
      No XMLRPC Sync > unchecked
      NAT reflection > Use system default
      Filter rule association > Rule NAT

      #Apply the rules and FTP to your hearts content.

      #Resource

      #ftpd.cof explained
      https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/ftpd.conf.5.html

      portrange class [min max]
                Set the range of port number which will be used for the passive data port.  max must be greater
                than min, and both numbers must be be between IPPORT_RESERVED (1024) and 65535.  If class is
                ``none'' or no arguments are specified, disable this.

      #FTP through pfSense
      https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

      Simple Port Forward to FTP Server.

      • Delete any FTP rules
      • Setup the FTP server to have a narrow range for passive ports. Keep enough based on usage and FTP server requirements but as low as possible for security reasons. This may take some experimenting and tweaking. Exactly how to do this will vary based on the FTP server software.
      • Set the passive IP response to respond with the PUBLIC IP address forwarded in pfSense. Again how to do this will vary based on FTP server and some do not have the capability.
      • Create port forward rules to forward BOTH port 21 and the passive range specified on the FTP server to the local LAN IP of the FTP server.
      • See this article for better detail
        7D20F5E4-12FF-4B30-9668-0AE8997624FA.png
        7D20F5E4-12FF-4B30-9668-0AE8997624FA.png_thumb
        BB1DA0D7-F3BB-45E1-92BE-23C940902A3E.png
        BB1DA0D7-F3BB-45E1-92BE-23C940902A3E.png_thumb
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.