Passive (PASV) port range in OS X Server (10.10) and port forwarding in pfSense



  • #Stop FTP Server
    sudo serveradmin stop ftp

    #Edit ftpd.conf - FTP Server config file
    sudo pico /Library/Server/FTP/Config/ftpd.conf

    #Add this line to ftpd.conf file
    portrange all min max

    #I used 51000 - 51100 so the full command looks like this
    portrange all 51000 51100

    #Output the file then hit return when prompted for the file name
    control-o
    return

    #Start FTP Server
    sudo serveradmin start ftp

    #FTP Port Forwarding in pfSense
    Firewall > NAT > Port Forward

    #Add port 21 (or 20-22 if you’re doing secure FTP - SFTP - I’ve not tested this)
    Disabled > unchecked
    No RDR > unchecked
    Interface > WAN
    Protocol > TCP
    Source > (not used)
    Destination > “not” is unchecked; Type is “WAN address”; Address is blank
    Destination port range > from: “FTP”; to: “FTP”; OR for SFTP: from: “(other)” “20”; to: “(other)" "22"
    Redirect target IP > (the ip of your internal server) in my case 10.0.1.10
    Redirect target port > FTP OR for SFTP: “(other)” “20” (it will figure out the rest of the range)
    Description > (up to you)
    No XMLRPC Sync > unchecked
    NAT reflection > Use system default
    Filter rule association > Rule NAT

    #Add port forwards for passive range to pfSense
    Disabled > unchecked
    No RDR > unchecked
    Interface > WAN
    Protocol > TCP
    Source > (not used)
    Destination > “not” is unchecked; Type is “WAN address”; Address is blank
    Destination port range >  from: “(other)” your choice I used “51000"; to: “(other)" your choice I used “51100"
    Redirect target IP > (the ip of your internal server) in my case 10.0.1.10
    Redirect target port > FTP OR for SFTP: “(other)” “51000” (it will figure out the rest of the range)
    Description > (up to you)
    No XMLRPC Sync > unchecked
    NAT reflection > Use system default
    Filter rule association > Rule NAT

    #Apply the rules and FTP to your hearts content.

    #Resource

    #ftpd.cof explained
    https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/ftpd.conf.5.html

    portrange class [min max]
              Set the range of port number which will be used for the passive data port.  max must be greater
              than min, and both numbers must be be between IPPORT_RESERVED (1024) and 65535.  If class is
              ``none'' or no arguments are specified, disable this.

    #FTP through pfSense
    https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

    Simple Port Forward to FTP Server.

    • Delete any FTP rules
    • Setup the FTP server to have a narrow range for passive ports. Keep enough based on usage and FTP server requirements but as low as possible for security reasons. This may take some experimenting and tweaking. Exactly how to do this will vary based on the FTP server software.
    • Set the passive IP response to respond with the PUBLIC IP address forwarded in pfSense. Again how to do this will vary based on FTP server and some do not have the capability.
    • Create port forward rules to forward BOTH port 21 and the passive range specified on the FTP server to the local LAN IP of the FTP server.
    • See this article for better detail




Log in to reply