ftp uses 2 separated connections
- A command channel, where the ftp client uses port 21 as the destination port.
- A data channel, where in passive mode the ftp client uses a destination port >1023 as suggested by the ftp server.
In active mode the server initiates this channel using source port 20, which usually is a not liked and thus not allowed by most system administrators.
Since my house move I don't have access to a FBSD box, but in OpenBSD the ports suggested by the ftp server for passive ftp channels is set by the following sysctls in blue
Code:
net.inet.ip.portfirst=1024
net.inet.ip.portlast=49151
net.inet.ip.porthifirst=49152
net.inet.ip.porthilast=65535
Re: ftp-proxy
ftp-proxy needs to run on a dedicated pf firewall with 2 NICs. It can neither run on a ftp client box, nor on a ftp server box.