OpenBSD Journal

FTP and Firewalls

Contributed by jose on from the of-brain-dead-protocols dept.

Since firewalls and FTP tend to not play well together, they're often a source of confusion to new users, espcially on NAT networks. This OnLamp article describes the use of FTP from behind a firewall and is the latest by Jacek Artymiak. While Jacek deals with the issues of passive vs. active FTP (which works for firewalls you don't control), this isn't always needed. It isn't even possible with some brain dead FTP clients.

Note that a simple configuration in two /etc files can also suffice:

/etc/inetd.conf : stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

/etc/pf.conf :
## ftp-proxy
rdr on $int_if proto tcp from any to any port 21 -> port 8081
# pass in data mode connections for ftp-proxy running on this host.
# (see ftp-proxy(8) for details)
pass in on $ext_if inet proto tcp from any to $ext_if port > 49152 
               flags S/SA keep state

Check the documentation for both ftp-proxy(8) and pf.conf(5) for more information.

(Comments are closed)

  1. By dolmant () on

    ftp-proxy(8) suggests this rule, as opposed to the one in the news entry:
    pass in on xl1 proto tcp from any to xl1 user proxy keep state

  2. By Jacek Artymiak () on

    As usual, there is always more than one way to do it. Sometimes you don't have access to the firewall, but need to suggest some solution to your desperate users. Hence this article.

    Merry Christmas,


  3. By Jim () on

    I personally use delegate:

    It does alot more than just FTP, but I just use it for FTP proxying.

    It can do exactly what ftp-proxy does, but also you can ftp directly to it and use its built-in proxying. Basically it acts like a normal FTP server but it actually connects to and transfers files from another ftp site. This will work for ALL ftp clients, even those that do not support ftp proxies.

    1. By RC () on

      The ftp-proxy method will also work for all FTP clients, as it is a transparent proxy. I've used some extremely stupid FTP programs, and they have all worked fine with ftp-proxy, so I can't imagine any others wouldn't.

  4. By Bards () on

    DOes this cover FTP from an external client ot a machine in a DMZ ? I have tried these settings but cannot seem to get the passive FTP to work from the internet.

    I can authenticate but when I do an 'ls' for example it just hangs after saying 'entering passive mode'.

    Any tips on getting an ftp server to work would be appreciated.

    1. By RC () on

      #1 When it is the SERVER that is firewalled/NATed, then ACTIVE mode should be used... That, of course, requires that the user is NOT firewalled/nated.

      #2, I'd strongly suggest using SCP/SFTP instead of FTP. FTP wasn't well thought-out, and so, it has hack upon hack in it just to get it to work... Never mind that those hacks just don't cut it in several situations.

      #3 If you are still determined to use FTP on a firewalled/NATed server, then there's an article for you. Through a good deal of modifications, you can get FTP to work.

    2. By Anonymous Coward () on

  5. By bards () on


    There is a 'reverse' proxy patch available for ftp-proxy.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]