How to allow FTP connnections with a deny policy
In order to allow FTP connections with a (global/per object) policy set to deny, you need to follow the next steps:
- Get Firewall->Packet filter
- Select Configure default rules or Configure rules for a particular object
- Set policy to Deny
- Add the following rules to allow ftp data and control flows:
- TCP / 21 Allow
- TCP / 20 Allow
- Save the changes
- Go to an eBox console and type:
modprobe ip_conntrack_ftp
Thus all connections related to a ftp connection will be allowed. Take care all ftp clients should be set in a passive mode (Most browsers do so).
