When you are using a FTP server you can connect using either Active or Passive connections. Each has advantages and disadvantages. When you set up FTP, in this example using VSFTPD, you need to make this connection decision. Active connections are safest for the server but at times may not work for some clients. Passive connections may not be the safest for the server but usually work well for the clients. In addition, these factors must be taken into account with the firewall. This is where connection tracking can be helpful.
Firewall: Enable Active FTP Connections
If you wanted to create an anonymous FTP server that anyone could get access to you could set up FTP access with this command:
ufw allow ftp
This shows you that ftp is allowed for everyone to your server. However, you can see it only opens port 21.
iptables -L -n
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
What has just been configured using UFW is an Active FTP connection where the client must connect from a high port (over 1024) and connect to the server on port 21. The data that is requested is returned on port 20 to the client. This is the safest set up for the server. However, the client may interpret the return connection from the server on port 20 with the data as an intrusion attempt and reject the connection, thus FTP fails.
Firewall: Enable Passive FTP Connections
You can see in the illustration that passive connections are different in that the server does not connect to the client with the data on port 20, rather, the client now connects to the server on high ports (over 1024). Thus the server must be enabled to allow these high ports, increasing securing risks.
Here is an example of the settings you can make for FTP in /etc/vsftpd.conf. The purpose of limiting the passive connections is a security limit. Remember, this allows the client to connect to the server on these ports. Using VSFTPD, the sever tracks so that connections are only allowed from the client on these ports.
When running ftp in passive mode, these lines will limit the range of ports that it will use for incoming passive requests from the client. This will help make it easier to configure a firewall.
You will need to add these ports to your UFW firewall.
sudo ufw allow proto tcp from any to any port 30000:30999
If you are interested in a Ubuntu 9.10 Server Manuals in PDF format CLICK HERE.
One of the features of the UFW firewall is that it provides connection tracking rules by default in /etc/default/ufw. This file includes default policies which you can change. The IPT_MODULES allows tracking of connections made with FTP for those high ports. This means UFW inspects outbound FTP traffic and dynamically allows the return traffic to the server.
IPT_MODULES=”nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc”