FTP rule for NACL in AWS

networking amazon-web-services ftp tcp

Solution 1:

Security groups are stateful in that you would only need to add the outwards rule. NACLs are stateless so you need to add in rules as well as out rules. Most AWS people use security groups in preference to NACLs because the automatic return traffic makes it simpler.

With NACLs ephemeral ports (explanation here and another here) need to be opened to allow return traffic. Read the links, FTP doesn't work as expected. Those ports vary a bit based on your OS (Wikipedia reference) tells us

The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 (215+214 to 216−1) for dynamic or private ports.3

Many Linux kernels use the port range 32768 to 60999.

Best allow ports 49152 to 65535 inwards on your NACLs to allow FTP to work.

Related

Is there an async FUSE filesystem for replication?
Powershell: install RDS Terminal Server Gateway SSL Certificate
Can Procmail be configured to get rid of mail after it is passed to a script?
In Ansible inventory, can I exclude children from a host group?
Best AWS option for occasional video encoding with FFMPEG? [closed]
Exchange 2019 Connection Problems with GCs
Openstack VM build fails with error
Tons of Access from Google Proxy
Delete directory regardless of 260 char limit
What is the Indentation standard for HTML (Tab / Two spaces / etc)? [closed]
Yield in a recursive function
No type was found that matches the controller named 'User'