Configuring Secure FTP with Pfsense
Creating FTP over SSL secure server using Filezilla with Pfsense
1- First step would be by creating the groups/users you want to create.
Second click settings and go to Passive Mode settings and configure it as below, where your Public IP needs to be of the firewall that NATs the connection.
Make sure that the FTP server’s Public IP reflects the Firewall IP that you’re configuring the FTP connection on.
2- Now it’s time to configure the SSL/TLS settings
You first need to Generate a certificate in order for the connection to be secured and data to be encrypted. you can do that through the FileZilla server app it self too as you can see in the snapshot there’s an option where you can do that.
Just click Generate new certificate, fill in the information.. you can randomize it if you want just type in anything and click ok when finished and select the option according to the snapshot.
3- Firewall configuration:
In my case I’m using Open source software firewall which to be honest doesn’t vary that much from hardware firewall since they are all web based.
I’ll configure two NAT rules enabling FTP secured standard port which is (990) in my case to avoid attackers who usually target port 21. And enable FTP data port range for data exchanging between server and client which in this case needs to be a big range in order to not slow down the connection and for client to be able to open more than socket in case of big amount of data transferring.
First rule will enable incoming connection from any source to the internal LAN IP which host the FTP server on port 990 to establish the FTP secure connection.
Second rule will enable incoming connection from any source to the FTP server on LAN on data range port from 50000 to 51000.
In the destination IP , you need to set the WAN IP address which you have specified earlier in FTP Server’s Passive mode settings.
Make sure when you setup your client you set the transfer mode to passive. and here’s the result: