Allowing passive FTP connections in FirewallD (CentOS 7)

In CentOS 7 which comes with FirewallD, enabling HTTP access was easy:

firewall-cmd --permanent --zone=public --add-service=http

However,

firewall-cmd --permanent --zone=public --add-service=ftp

doesn’t work: the rule applies, but I can’t access FTP by any means except disabling FirewallD.

Some diagnostic info:

  • I have checked the service definition file (ftp.xml) and it makes use of nf_conntrack_ftp module.
  • On my VPS the module is compiled into kernel (not separate) so it’s not there via lsmod, but I can confirm it’s there by this:

zgrep FTP /proc/config.gz

CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_TFTP=y

Related:


Leave a Reply