Allowing passive FTP connections in FirewallD (CentOS 7)

In CentOS 7 which comes with FirewallD, enabling HTTP access was easy:

firewall-cmd --permanent --zone=public --add-service=http

However,

firewall-cmd --permanent --zone=public --add-service=ftp

doesn't work: the rule applies, but I can't access FTP by any means except disabling FirewallD.

Some diagnostic info:

  • I have checked the service definition file (ftp.xml) and it makes use of nf_conntrack_ftp module.
  • On my VPS the module is compiled into kernel (not separate) so it's not there via lsmod, but I can confirm it's there by this:


zgrep FTP /proc/config.gz

CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_TFTP=y

Solution 1:

I did not researched the issue throughly, so I do not understand the details, but it seems this has something to do with how the active - passive connections are setup both for vsftpd on the server and for the client (ex: Filezilla).

Basically you will need to:

  • configure vsfptd passive mode by adding the following to /etc/vsftpd/vsftpd.conf: pasv_enable=Yes pasv_max_port=40000 pasv_min_port=40000
  • Restart vsftpd: systemctl restart vsftpd.service
  • Ope port 4000 in FirewallD: firewall-cmd --permanent --add-port=40000/tcp firewall-cmd --reload
  • Then I was able to connect with lftp. For setting Filezilla to use active mode check http://www.itzgeek.com/how-tos/linux/centos-how-tos/enable-passive-mode-in-ftp-on-centos-7-rhel-7-for-filezilla-and-winscp.html#axzz3X4loTCMi

Solution 2:

try: edit /etc/vsftpd/vsftpd.conf

pasv_enable=YES
pasv_min_port=65400
pasv_max_port=65410

Then:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p TCP --dport 21 --sport 1024:65534 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT
firewall-cmd --reload
firewall-cmd --permanent --direct --get-all-rules

I use vsftp server & FileZilla Client can working