Hi all,

I'm running a FreeBSD 6.0 DA server and I have the following rules in my ipfw.rules:

$cmd 90 allow tcp from any to any 21 in
$cmd 100 allow tcp from any to any 21 out
$cmd 300 allow tcp from any to any 61000-61994 in

And in my /etc/proftpd.conf I have the following:

Port 21
PassivePorts 61000 61994

However, I can FTP in but when trying to browse any folders, the FTP client tries opening ports outside of the 61000-61994 range and cannot do so.

How do I fix this please?

Regards,
Suhail.

Make sure you put the PassivePorts 61000 61994 in the <Global> section of the proftpd.conf file and you should be fine.

Steve

Many thanks Steve. That did the trick!

In my experience it's best to let the passive port range be the IANA-registered ephemeral port range (49152 <-> 65534). I discovered customers who couldn't connect otherwise.

This is explained on http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html.

Thanks Floris.

But is it safe to open up some a large range on the firewall?

The only deamon listening to those ports is proftpd, so no harm could be done. I don't see why not.

Fair enough, thank you.

If you are blocking all ports you will also want to add a rule so that you can use ftp to other sites via your server.

# FTP PASSIVE
ipfw add # allow tcp from me to any 1024-65535 out setup keep-state