Women in Technology

Hear us Roar



Article:
  Exploring the Mac OS X Firewall
Subject:   ftp rules?
Date:   2005-05-06 02:54:25
From:   gsyoungblood
Response to: ftp rules?

The problem is quite simple. The FTP Access firewall rules only support Active FTP, not Passive. At least that is what it appears to be. For a pretty reasonable description and comparison of Active and Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation [slacksite.com].


The short version is this: Passive FTP has a second connection from the client to a specified port on the server, a port that is not port 20 or 21. For this reason, the standard firewall rules for FTP Access do not permit Passive FTP.


I did not look at the configuration options in detail for the FTP server provided by Apple, but I do not recall seeing anyplace to restrict the passive FTP ports to a set range. This is important, otherwise you are going to be opening your firewall for every port over 1024, and that's not a good idea.


In general, the goal is to open the least number of ports necessary to support what you want to run.


Here is how I solved the problem and made Passive FTP work.


First, I decided to use a different FTP server. I decided to try PureFTPd Manager. After downloading and installing it, I ran it and went into Preferences. There, it lets you specify a range of ports to use for Passive FTP. Choose something you are comfortable with, for example 9900 to 9999 (for a small FTP server).


Next, go to System Preferences, and make sure FTP Access is checked in both Services and Firewall.


Finally, under Firewall, click New, to add a new firewall rule. Select Other from the drop down list, and enter the range of ports you decided to use, 9900-9999 using the previous example. Then, enter a description, such as FTP Access (Passive). When you click OK, the rule should be added and activated.


If everything is running and setup properly, Passive FTP should now be working.