Passive (PASV) port range in OS X Server (10.10) and port forwarding in pfSense
-
#Stop FTP Server
sudo serveradmin stop ftp#Edit ftpd.conf - FTP Server config file
sudo pico /Library/Server/FTP/Config/ftpd.conf#Add this line to ftpd.conf file
portrange all min max#I used 51000 - 51100 so the full command looks like this
portrange all 51000 51100#Output the file then hit return when prompted for the file name
control-o
return#Start FTP Server
sudo serveradmin start ftp#FTP Port Forwarding in pfSense
Firewall > NAT > Port Forward#Add port 21 (or 20-22 if you’re doing secure FTP - SFTP - I’ve not tested this)
Disabled > unchecked
No RDR > unchecked
Interface > WAN
Protocol > TCP
Source > (not used)
Destination > “not” is unchecked; Type is “WAN address”; Address is blank
Destination port range > from: “FTP”; to: “FTP”; OR for SFTP: from: “(other)” “20”; to: “(other)" "22"
Redirect target IP > (the ip of your internal server) in my case 10.0.1.10
Redirect target port > FTP OR for SFTP: “(other)” “20” (it will figure out the rest of the range)
Description > (up to you)
No XMLRPC Sync > unchecked
NAT reflection > Use system default
Filter rule association > Rule NAT#Add port forwards for passive range to pfSense
Disabled > unchecked
No RDR > unchecked
Interface > WAN
Protocol > TCP
Source > (not used)
Destination > “not” is unchecked; Type is “WAN address”; Address is blank
Destination port range > from: “(other)” your choice I used “51000"; to: “(other)" your choice I used “51100"
Redirect target IP > (the ip of your internal server) in my case 10.0.1.10
Redirect target port > FTP OR for SFTP: “(other)” “51000” (it will figure out the rest of the range)
Description > (up to you)
No XMLRPC Sync > unchecked
NAT reflection > Use system default
Filter rule association > Rule NAT#Apply the rules and FTP to your hearts content.
#Resource
#ftpd.cof explained
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/ftpd.conf.5.htmlportrange class [min max]
Set the range of port number which will be used for the passive data port. max must be greater
than min, and both numbers must be be between IPPORT_RESERVED (1024) and 65535. If class is
``none'' or no arguments are specified, disable this.#FTP through pfSense
https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsenseSimple Port Forward to FTP Server.
- Delete any FTP rules
- Setup the FTP server to have a narrow range for passive ports. Keep enough based on usage and FTP server requirements but as low as possible for security reasons. This may take some experimenting and tweaking. Exactly how to do this will vary based on the FTP server software.
- Set the passive IP response to respond with the PUBLIC IP address forwarded in pfSense. Again how to do this will vary based on FTP server and some do not have the capability.
- Create port forward rules to forward BOTH port 21 and the passive range specified on the FTP server to the local LAN IP of the FTP server.
- See this article for better detail