FTPS Firewall Configuration: Essential Ports for Control and Data Channels (vsftpd Implementation)


1 views

When configuring firewalls for FTPS (FTP over SSL/TLS) communication, we need to consider both the control channel (commands) and data channel (file transfers). The standard ports differ based on whether you're using implicit or explicit FTPS.

For the control connection:

  • Implicit FTPS: Uses port 990 by default for control connection
  • Explicit FTPS: Typically uses port 21 (same as regular FTP)

Example firewall rule for control channel (using iptables):


# Allow implicit FTPS control connection
iptables -A INPUT -p tcp --dport 990 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 990 -j ACCEPT

# Or for explicit FTPS
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT

The data channel port behavior depends on the connection mode:

Active Mode Configuration

In active mode, the server initiates the data connection back to the client:

  • Client opens random high port (>1023) and informs server via PORT command
  • Server connects to client from port 20 to client's specified port

Example firewall rules for active mode:


# On client firewall (outbound)
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 20 -j ACCEPT

# On server firewall (inbound)
iptables -A INPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT

Passive Mode Configuration

In passive mode (recommended for FTPS):

  • Server opens random high port and informs client
  • Client connects to server's specified port

Example vsftpd configuration for passive ports:


pasv_enable=YES
pasv_min_port=50000
pasv_max_port=51000

Corresponding firewall rules:


# On server firewall
iptables -A INPUT -p tcp --dport 50000:51000 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 50000:51000 -j ACCEPT

# On client firewall
iptables -A OUTPUT -p tcp --dport 50000:51000 -j ACCEPT
iptables -A INPUT -p tcp --sport 50000:51000 -j ACCEPT

For most secure implementations:

  1. Use passive mode FTPS (easier for firewall traversal)
  2. Specify a limited range of passive ports (e.g., 50000-51000)
  3. Configure firewalls bi-directionally for both control and data channels
  4. Enable stateful inspection to automatically allow reply packets

Example stateful rules for FTPS:


# Allow established/related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

When troubleshooting FTPS through firewalls:


# Check active connections
netstat -tulnp | grep ftp

# Test port connectivity
telnet ftps.example.com 990
nc -zv ftps.example.com 50000-51000

# Packet capture (tcpdump example)
tcpdump -i eth0 'port 990 or (port >= 50000 and port <= 51000)'

When configuring firewalls for FTPS (FTP over SSL/TLS), it's crucial to understand the dual-channel nature of the protocol. FTPS uses separate control and data channels, each requiring specific firewall considerations.

The standard FTPS control port is 990 for implicit SSL, while port 21 is often used for explicit SSL (FTPES). However, some implementations may use additional ports:

  • Port 990: Default control channel (implicit SSL)
  • Port 21: Often used for explicit SSL (FTPES)
  • Ports 989/991: Sometimes used for control channel failover
# Example iptables rules for control channel
iptables -A INPUT -p tcp --dport 990 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 990 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT

The data channel presents more complex firewall requirements due to its dynamic nature:

  • Passive mode (PASV): Server opens high ports (typically 1024-65535)
  • Active mode (PORT): Client opens high ports
  • Firewalls must allow these ephemeral ports bidirectionally

For comprehensive FTPS support, consider these firewall rules:

Vendor-side Firewall

# Allow inbound control connections
iptables -A INPUT -p tcp --dport 990 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

# Allow outbound responses
iptables -A OUTPUT -p tcp --sport 990 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT

# For passive mode, allow high ports
iptables -A INPUT -p tcp --dport 50000:51000 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 50000:51000 -j ACCEPT

Client-side Firewall

# Allow outbound control connections
iptables -A OUTPUT -p tcp --dport 990 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT

# Allow inbound responses
iptables -A INPUT -p tcp --sport 990 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT

# For active mode, allow high ports
iptables -A INPUT -p tcp --dport 50000:51000 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 50000:51000 -j ACCEPT

Instead of opening all high ports (1024-65535), restrict the range:

  • Configure vsftpd with pasv_min_port and pasv_max_port
  • Example vsftpd.conf settings:
pasv_min_port=50000
pasv_max_port=51000
pasv_address=your.public.ip.address

Verify your setup with these commands:

# Test control channel connectivity
telnet ftps.example.com 990
openssl s_client -connect ftps.example.com:990 -starttls ftp

# Check passive mode port range
lsof -i | grep vsftpd
netstat -tulnp | grep vsftpd