Active FTP vs. Passive FTP, Appendix 2
This appendix will describe some methods for configuring popular firewalls to support
FTP communications. Most of these configuration guides/tips are user-provided and I
am unable to test all of these recommendations. As always, be sure to do extensive
research before implemetning any of the recommendations here!
When using IPTables, you can use the
state match along with
ftp conntrack helperrelated FTP traffic--in this case the data. What this means is that you
only need to open port 21 specifically. The random data port will be automatically opened with the following rules
(being sure to insert the FTP connection tracker helper module):
iptables -A INPUT -i $WAN_IF -p tcp -m state --state NEW -dport 21 -j ACCEPT
iptables -A INPUT -i $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
In the event any malicious traffic comes in on the same port as an ongoing FTP data connection, that traffic will
get dropped as it is not related to the FTP data connection.