I can't get vsftpd and firewalld to work together properly on CentOS 7 (without adding the passive range to the firewalld). Looks like firewalld ignores connection tracking (nf_conntrack_ftp is loaded but has 0 users). Is it correct that firewalld doesn't yet support connection tracking as suggested here?
In firewalld I have enabled the ftp service but while I can login and list I cannot upload files unless I stop the firewall or add an explicit passive range.
Firewalld command:
firewall-cmd --permanent --add-service=ftp
Resultant iptables rule:
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
Connection tracking module:
# lsmod | grep conntrack_ftp
nf_conntrack_ftp 18638 0
Best Answer
I had the same problem using CentOS 8 and vsftpd. As mentioned in another post you have to load the kernel module "nf_conntrack_ftp" (which was already the case in CentOS 8) and enable "nf_conntrack_helper" in kernel settings:
Add this line to
/etc/sysctl.conf(or/etc/sysctl.d/10-nf_conntrack_helper.confwhen/etc/sysctl.d/is present) for a reboot persistent setting: