I have two internal FTP servers (192.168.168.5 and 192.168.168.6) that should be externally reached in passive mode addressing two public IPs on the external interface (a.b.c.149 and a.b.c.150) . In Susefirewall2 this was working perfectly, but in firewalld I can forward the single port 21 , but it does not accept the 60000:60100 needed for passive ftp.
How can I achieve this configuration?
TY in advance
I tried the converter and read all the available documents, but I could not find any referral to such case.
All the examples are about forwarding one ip:port to another ip:port.
I need to forward ip-ext:port-port to ip-int:port-port
Took a look at this,
And it looks like firewalld should support PASV FTP by default.
Configure your FTP application according to its documentation to specify the secondary port range (PASV data ports)
Using the YaST module which invokes the firewalld GUI interface or firewall-cmd, enable the ftp service (provided in all installations) for your default zone (and other zones as may be needed). The default installed zone is the Public zone. Do not create a new FTP service, without special configuration it will support only Active FTP.
Verify that kernel modules are installed that support nftables and specifically nf_conntrack_ftp For comparison, the following is the command and result on my TW
Note that nf_conntrack_ftp is supposed to support stateful packet inspection which means that the secondary PASV data ports should normally be closed but opened as needed for a particular client connection… So for instance you normally test for open ports unless the FTP connection is active.
If all of the above are configured correctly, then the firewall should support PASV FTP.
If you’re still having problems,
Describe what FTP app you’re using and the FTP client(s) used and depending on the client how it’s being configured for PASV connections.
I was confused by “destination address” line and “to-addr” value. The manual is not clear about this. The destination address is the external public address where to send the packets, and to-addr is the internal address where packets are targeted.
Resolved this way: