Server Setup

FirewallD FTP rule: allow access to FTP service in CentOS 7

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

CentOS 7 comes with FirewallD as default firewall software. Iptables is still an option, but there is no reason not to make use of the default.

FirewallD has its own set of service definition files, which allows for easier administration.

For instance, after you have installed Apache or Nginx, you need to open up port 80, which is standard port for HTTP protocol. A single command will suffice for enabling access to your websites:

firewall-cmd --permanent --zone=public --add-service=http

That’s just how easy it is to allow access to Apache or Nginx in FirewallD. If you haven’t enabled the firewall itself, please refer to our setup guide for CentOS 7.

FirewallD FTP rule file

While there is a definition file for FTP service in FirewallD, on some VPS the similar command will not work for allowing FTP access. Why? The FTP service definition file uses “nf_conntrack_ftp” kernel module. But if the module is compiled into kernel (vs. compiled separately) on a VPS, FirewallD seems to have trouble using it.

So instead of:

firewall-cmd --permanent --zone=public --add-service=ftp

Use, as a workaround:

firewall-cmd --permanent --add-port=21/tcp

And finally, apply firewall changes:

firewall-cmd --reload

Note that with this approach, you will likely loose passive mode connection in FTP, resulting in active FTP connection, which provides a bit slower FTP access. So check first whether the standard approach works for you, and then, if it doesn’t, proceed with the workaround command.

Found this fix useful? Let us know in comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: