Exploring the Mac OS X Firewall
Subject:   ftp rules?
Date:   2005-03-16 13:49:39
From:   oefe
For ftp FTP connections, the first rule seems to be clear:
allow tcp from any to any 20-21 in
This lets clients connect to the ftp port (21) and to ftp-data(20).

But what is the second rule supposed to be?
allow tcp from any 20,21 to any 1024-65535 in
This would allow clients to access any (unprivileged) port as long as they are connecting from port 20 or 21.

Is this somehow supposed to support passive ftp? But clients normally can't (and won't) use the privileged ports.

Indeed, with the firewall active, I can connect to the ftp server, but I can't up/download files or even get a directory listing.

How do I configure ipfw correctly for passive ftp? Or can I tell ftpd to use port 20 for the data connection?

Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • ftp rules?
    2005-03-22 20:23:03  coolmacguy [View]

    That second line is indeed erroneous. The client is definitely not restricted to connecting from only port 20 or 21 when it initiates the second connection. According to my logs both Dreamweaver and Transmit use a port in the high 60000 range.
  • ftp rules?
    2005-03-16 15:05:43  peterhickman [View]

    The two rules that I gave for the firewall are just a copy of the rules that OS X creates when you turn on FTP and have a firewall running.

    If you drop your firewall can you connect and use the FTP server and access it as you would expect? If not then the problem lies with the configuration of the FTP server and not the firewall.

    Must confess I do not use the FTP server if I can help it, prefering SFTP.
    • ftp rules?
      2005-05-06 01:16:43  gsyoungblood [View]

      I've just run into this problem today.

      I can confirm the problem as reported above.

      With Mac OS X (10.3.9) firewall on, remote clients are not able to use passive. With the firewall stopped, FTP is fully functional, including passive.

      This has been giving me grief, to say the least. Fortunately, my machine is behind a firewall already, so turning the Mac firewall off is not opening me up to problems externally. I'd still rather have it enabled.

      If I figure out the solution tonight, I'll post a reply.
      • ftp rules?
        2005-05-06 02:54:25  gsyoungblood [View]

        The problem is quite simple. The FTP Access firewall rules only support Active FTP, not Passive. At least that is what it appears to be. For a pretty reasonable description and comparison of Active and Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation [].

        The short version is this: Passive FTP has a second connection from the client to a specified port on the server, a port that is not port 20 or 21. For this reason, the standard firewall rules for FTP Access do not permit Passive FTP.

        I did not look at the configuration options in detail for the FTP server provided by Apple, but I do not recall seeing anyplace to restrict the passive FTP ports to a set range. This is important, otherwise you are going to be opening your firewall for every port over 1024, and that's not a good idea.

        In general, the goal is to open the least number of ports necessary to support what you want to run.

        Here is how I solved the problem and made Passive FTP work.

        First, I decided to use a different FTP server. I decided to try PureFTPd Manager. After downloading and installing it, I ran it and went into Preferences. There, it lets you specify a range of ports to use for Passive FTP. Choose something you are comfortable with, for example 9900 to 9999 (for a small FTP server).

        Next, go to System Preferences, and make sure FTP Access is checked in both Services and Firewall.

        Finally, under Firewall, click New, to add a new firewall rule. Select Other from the drop down list, and enter the range of ports you decided to use, 9900-9999 using the previous example. Then, enter a description, such as FTP Access (Passive). When you click OK, the rule should be added and activated.

        If everything is running and setup properly, Passive FTP should now be working.