Exploring the Mac OS X Firewall
Subject:   ftp rules?
Date:   2005-05-06 01:16:43
From:   gsyoungblood
Response to: ftp rules?

I've just run into this problem today.

I can confirm the problem as reported above.

With Mac OS X (10.3.9) firewall on, remote clients are not able to use passive. With the firewall stopped, FTP is fully functional, including passive.

This has been giving me grief, to say the least. Fortunately, my machine is behind a firewall already, so turning the Mac firewall off is not opening me up to problems externally. I'd still rather have it enabled.

If I figure out the solution tonight, I'll post a reply.

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • ftp rules?
    2005-05-06 02:54:25  gsyoungblood [View]

    The problem is quite simple. The FTP Access firewall rules only support Active FTP, not Passive. At least that is what it appears to be. For a pretty reasonable description and comparison of Active and Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation [].

    The short version is this: Passive FTP has a second connection from the client to a specified port on the server, a port that is not port 20 or 21. For this reason, the standard firewall rules for FTP Access do not permit Passive FTP.

    I did not look at the configuration options in detail for the FTP server provided by Apple, but I do not recall seeing anyplace to restrict the passive FTP ports to a set range. This is important, otherwise you are going to be opening your firewall for every port over 1024, and that's not a good idea.

    In general, the goal is to open the least number of ports necessary to support what you want to run.

    Here is how I solved the problem and made Passive FTP work.

    First, I decided to use a different FTP server. I decided to try PureFTPd Manager. After downloading and installing it, I ran it and went into Preferences. There, it lets you specify a range of ports to use for Passive FTP. Choose something you are comfortable with, for example 9900 to 9999 (for a small FTP server).

    Next, go to System Preferences, and make sure FTP Access is checked in both Services and Firewall.

    Finally, under Firewall, click New, to add a new firewall rule. Select Other from the drop down list, and enter the range of ports you decided to use, 9900-9999 using the previous example. Then, enter a description, such as FTP Access (Passive). When you click OK, the rule should be added and activated.

    If everything is running and setup properly, Passive FTP should now be working.