Authorize FTP Outbound


Within the framework of a web environment I need to allow my environment under my IPFire to interrogate a server in the WAN network in FTP unfortunately it is totally impossible for me to interog the server even in telnet I find myself in timeOut and I have no log under my firewall management

Is there a particular action to perform? (I tried to deactivate the layer gateway for FTP but my problem is still present

Thanks In advance

I’m not sure if I can help, I’m still pretty new to IPfire, and I’m also not
sure what are you describing, but I will try to suggest:

Go to Web interface-Firewall-Firewall Options:
scroll down to
“Application Layer Gateways”


this sounds like a packet filter (could be those of IPFire, or another one in your network) is dropping the FTP connection.

In order to help you, cloud you please post screenshots of your IPFire’s firewall configuration here?

At this point, I do not think of the ALG causing this problem…

Thanks, and best regards,
Peter Müller

@trish thank you for the answer but unfortunately the original option is enabled and it does not all work the same

@pmueller Here are the screenshots of my outbound configuration (the rest is purely entered for static nat indeed my IPFire has several WAN address that it then redirects to the VM concerned)

Thanks, and best regards,
Maxime Calvo

Am i wrong or… also port 20 should be forwarded (and allowed) for FTP data transfers?

Does your FTP server/client use PASSIVE mode? If yes, it tends to open random ports from 1025 and above.

The traffic could be coming from source port 20.

Nice FTP servers allows to configure these ports.

I dont know if this FTP server use passive mode (its public FTP server) but i open port 20 into red interface and in the LAN VM (like picture show).

But normaly i open all port in outgoing (picture 2 in my last message)

And im still block with this configuration


just to ensure the problem is IPFire-related: Does the FTP connection work in case you allow any traffic from that client? (Please be sure to place this - temporary - rule first, so it will be applied before anything else.)

Thanks, and best regards,
Peter Müller

BTW, there are public ftp servers to test. I did not change anything in my ipfire, 151.
You can put a file in the upload dir to test the speed. cd=change dir, lcd=locally change dir.
The file is deleted after a successful upload.

login as anonymous / guest
cd upload
lcd Downloads
put assembly-language.pdf

Tried with passive mode ON

ftp> passive
Passive mode on.
ftp> put assembly-language.pdf 
local: assembly-language.pdf remote: assembly-language.pdf
227 Entering Passive Mode (90,130,70,73,107,159).
150 Ok to send data.
226 Transfer complete.
1128822 bytes sent in 2.48 secs (444.1661 kB/s)

Tried again with passive mode OFF

ftp> passive
Passive mode off.
ftp> put assembly-language.pdf 
local: assembly-language.pdf remote: assembly-language.pdf
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
1128822 bytes sent in 3.57 secs (308.8202 kB/s)


Thanks For all awnser but i test to put rules in first but nothink (server say again network is unreachable). I test all command in server without IPFire and i can connect normaly to FTP server.

My IPfFire configuration is special : I have multiple AWS server without Wan IP but the gateway of all server is IPFire so i add multiple WAN IP to IPFire to redirect all Public IP to each VM