FAQ

Q: Why is the PORT command neither supported nor planned?

A: The PORT command, a.k.a. "active FTP", instructs the server to connect to a specific port on the client machine and use that port for data transfers. Now this was a great idea about 20 years ago (when FTP was invented) but with the arrival of NAT and firewalls the server can no longer be guaranteed a direct connection to the client.

Instead, the PASV ("passive") command is used. The difference being that the client connects to the server and therefore the server is given a data connection to the client. PASV, together with port forwarding of known ports (specified in iftpd.conf) enables one to put the server behind several firewalls and still be able to serve files.

Also, PORT is a security risk. See "PASV security and PORT security".

Tips

iFTPd behind a firewall

If you have a hardware firewall, check what ports iFTPd uses in iftpd.conf and open those ports.

If you have an iptables firewall, issue the following commands:

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20001:20100 -j ACCEPT

iFTPd behind a NAT (port forwarding help)

You have a linux-based firewall machine and iFTPd is running on another machine in the network. You need to forward iFTPd commands to the iFTPd machine (say 192.168.0.2).

1. Using iptables, issue the following commands:
   iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 21 -j DNAT --to 192.168.0.2:20000
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 20001:20100 -j DNAT --to 192.168.0.2

2. Edit iftpd.conf and change the "pasvip" setting to the IP or hostname of the iptables machine.

If this doesn't work, you might want to check that iptables -t nat -P PREROUTING ACCEPT is issued.

iFTPd displays question marks in the file names

export LC_CTYPE=en_US

Why does the file conf/JAVA_HOME exist?

The author's Gentoo system has a terrible time accepting changes to the /etc/profile file, and adding Java releases to the system is a pain in the ass, so he figured that instead of trying to make Gentoo do as he says, he can just put the JAVA_HOME variable somewhere, but because he hates changing system-wide variables at all, why not makt the variable local?

Local as in "a file which contain the path to the Java JRE which isn't overwritten all the time". So he put the path in a file in the conf directory, which can easily be transferred between iFTPd upgrades and installations.

What is the state of SSL?

Since v1.5 iFTPd supports SSL/TLS encryption of both the command and data channels. It is enabled per default, but not enforced. The reason is that clients need to be told to use another FTP protocol (FTPS/explicit TLS) and this could confuse existing users.

For maximum security, force the command and channels to be encrypted. See the conf/ssl/ssl.conf file.

Per-user X509 certification will probably be added in the future sometime, but as of right now SSL/TLS should be enough to keep prying eyes out of your FTP sessions.