Allowing passive FTP connections in FirewallD (CentOS 7)

Question

In CentOS 7 which comes with FirewallD, enabling HTTP access was easy:

firewall-cmd --permanent --zone=public --add-service=http

However,

firewall-cmd --permanent --zone=public --add-service=ftp

doesn't work: the rule applies, but I can't access FTP by any means except disabling FirewallD.

Some diagnostic info:

I have checked the service definition file (ftp.xml) and it makes use of nf_conntrack_ftp module.
On my VPS the module is compiled into kernel (not separate) so it's not there via lsmod, but I can confirm it's there by this:


zgrep FTP /proc/config.gz


CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_TFTP=y

This will more likely than not be the usual problem will passive more http://serverfault.com/questions/421161/how-to-configure-vsftpd-to-work-with-passive-mode/421169#421169 — user9517, Oct 25 '14 at 14:27
Solution for CentOS 8: https://serverfault.com/a/995047/298522 — h18c, Dec 10 '19 at 14:13
Does this answer your question? [How to configure vsftpd to work with passive mode](https://serverfault.com/questions/421161/how-to-configure-vsftpd-to-work-with-passive-mode) — miken32, Jan 14 '20 at 21:42
Both answers here are bad, they do not rely on intelligent connection tracking made possible by `nf_conntrack_helper`. — miken32, Jan 14 '20 at 21:46

score 8 · Answer 1 · answered Apr 12 '15 at 07:43

I did not researched the issue throughly, so I do not understand the details, but it seems this has something to do with how the active - passive connections are setup both for vsftpd on the server and for the client (ex: Filezilla).

Basically you will need to:

configure vsfptd passive mode by adding the following to /etc/vsftpd/vsftpd.conf: pasv_enable=Yes pasv_max_port=40000 pasv_min_port=40000
Restart vsftpd: systemctl restart vsftpd.service
Ope port 4000 in FirewallD: firewall-cmd --permanent --add-port=40000/tcp firewall-cmd --reload
Then I was able to connect with lftp. For setting Filezilla to use active mode check http://www.itzgeek.com/how-tos/linux/centos-how-tos/enable-passive-mode-in-ftp-on-centos-7-rhel-7-for-filezilla-and-winscp.html#axzz3X4loTCMi

score 1 · Answer 2 · edited Jan 18 '17 at 05:38

try: edit /etc/vsftpd/vsftpd.conf

pasv_enable=YES
pasv_min_port=65400
pasv_max_port=65410

Then:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p TCP --dport 21 --sport 1024:65534 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT
firewall-cmd --reload
firewall-cmd --permanent --direct --get-all-rules

I use vsftp server & FileZilla Client can working

Allowing passive FTP connections in FirewallD (CentOS 7)

2 Answers2