Exploring the Mac OS X Firewall
Subject:   ftp rules?
Date:   2005-05-06 02:54:25
From:   gsyoungblood
Response to: ftp rules?

The problem is quite simple. The FTP Access firewall rules only support Active FTP, not Passive. At least that is what it appears to be. For a pretty reasonable description and comparison of Active and Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation [].

The short version is this: Passive FTP has a second connection from the client to a specified port on the server, a port that is not port 20 or 21. For this reason, the standard firewall rules for FTP Access do not permit Passive FTP.

I did not look at the configuration options in detail for the FTP server provided by Apple, but I do not recall seeing anyplace to restrict the passive FTP ports to a set range. This is important, otherwise you are going to be opening your firewall for every port over 1024, and that's not a good idea.

In general, the goal is to open the least number of ports necessary to support what you want to run.

Here is how I solved the problem and made Passive FTP work.

First, I decided to use a different FTP server. I decided to try PureFTPd Manager. After downloading and installing it, I ran it and went into Preferences. There, it lets you specify a range of ports to use for Passive FTP. Choose something you are comfortable with, for example 9900 to 9999 (for a small FTP server).

Next, go to System Preferences, and make sure FTP Access is checked in both Services and Firewall.

Finally, under Firewall, click New, to add a new firewall rule. Select Other from the drop down list, and enter the range of ports you decided to use, 9900-9999 using the previous example. Then, enter a description, such as FTP Access (Passive). When you click OK, the rule should be added and activated.

If everything is running and setup properly, Passive FTP should now be working.