To handle a protocol like FTP, Netfilter must inspect each packet of the
control connection in order to be able to automatically open data
connections. When the control connection is encrypted, it can't do that and hence data connections are rejected. To work around this, you will need to specify a range of passive ports in the ProFtpd configuration,
then open that port range in Shorewall. To handle active mode
connections, you would also need to open outbound connections whose
source port is 20 (that is the default, anyway).

Well, I confirm that the problem was "only" the enabling of the ProFtpd passive ports and the relative shorewall ports:

ProFtpd (sftp.conf-> that could be now tls.conf or ftps.conf) :

PassivePorts                    49152 65534

Shorewall (rules):

ACCEPT net $FW tcp 49152:65534 #PROSFTP PASSIVE PORT

SFTP is the preferred way to do Secure file transfer, as it is SSH-based and does not use separate control and data connections. With SFTP, you
simply open the incoming connection in your Shorewall configuration.


I opted for FTPS because I preferred to use the Letsencrypt certificates instead of self signed. I was wrong? :-)

Thanks Tom for your very appreciated help!


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to