I don't even know where to begin with writing a rule to allow me to run a passive ftp server. Has anyone written a secure one? Is that even possible? Passive requires you to open just about every port in existence. I saw a thread about the same thing here from 2003, but it went unanswered :/

Hi,

Normally in PASV mode the client will connect to ports 20 & 21, so opening these ports and allowing incoming connection on them should work.

Usually, the problems are more in active mode.

Regards,

Frederic

From what I've read about passive mode and my experiences, it actuallly require more ports to be open. In active mode (with an FTP client at least), the user needs to allow the server to connect back onto port 20 and the client needs to be able to access the server's port 21. With passive mode, the client needs to be able access port 21 and the ports the server has designated for passive connections, which can be just about any port >1023. The common ports rule in the enhanced ruleset should work with passive mode. This should be safe as long as the ports aren't open for unintiated (on your end) connections.

As it had been mentioned, no additional rules required for PASSIVE FTP unless user made changes to rule ‘TCP : Authorize most common Internet services’ in EnhancedRulesSet