FTP
FreeNAS® uses the proftpd FTP server to provide FTP services. Once the FTP service is configured and started, clients can browse and download data using a web browser or FTP client software. The advantage of FTP is that easy-to-use cross-platform utilities are available to manage uploads to and downloads from the FreeNAS® system. The disadvantage of FTP is that it is considered to be an insecure protocol, meaning that it should not be used to transfer sensitive files. If you are concerned about sensitive data, see the section on Encrypting FTP.
This section provides an overview of the FTP configuration options. It then provides examples for configuring anonymous FTP, specified user access within a chroot environment, encrypting FTP connections, and troubleshooting tips.
Contents |
Configuring FTP
Figure 8.6a shows the configuration screen for Services → FTP. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by checking the box “Show advanced fields by default” in System → Settings → Advanced.
Figure 8.6a: Configuring FTP
Table 8.6a summarizes the available options when configuring the FTP server:
Table 8.6a: FTP Configuration Options
| Setting | Value | Description |
| Port | integer | port to use for connection requests |
| Clients | integer | maximum number of simultaneous clients |
| Connections | integer | maximum number of connections per IP address where 0 means unlimited |
| Login Attempts | integer | maximum number of attempts before client is disconnected; increase this if users are prone to typos |
| Timeout | integer | maximum client idle time in seconds before client is disconnected |
| Allow Root Login | checkbox | discouraged as increases security risk |
| Allow Anonymous Login | checkbox | allows anyone to browse the data |
| Path | browse button | root directory of FTP server must point to the volume/dataset being shared or connections will fail |
| Allow Local User Login | checkbox | required if Anonymous Login is disabled |
| Banner | string | message users see when they access the FTP server; if left empty it will show the version of proftpd |
| File Permission | checkboxes | only available in Advanced Mode; sets default permissions for newly created files |
| Directory Permission | checkboxes | only available in Advanced Mode; sets default permissions for newly created directories |
| Enable [FXP] | checkbox | only available in Advanced Mode; discouraged as vulnerable to FTP bounce attacks |
| Allow Transfer Resumption | checkbox | if transfer is interrupted, server will resume transfer at last known point |
| Always Chroot | checkbox | forces users to stay in their home directory (always true for Anonymous Login) |
| Require IDENT Authentication | checkbox | only available in Advanced Mode; will result in timeouts if the identd service is not running on the client |
| Require Reverse DNS for IP | checkbox | will result in timeouts if there isn't a DNS record for the client's hostname |
| Masquerade address | string | IP address or hostname; set if FTP clients can not connect through a NAT device |
| Minimum passive port | integer | only available in Advanced Mode; to be used by clients in PASV mode, default of 0 means any port above 1023 |
| Maximum passive port | integer | only available in Advanced Mode; to be used by clients in PASV mode, default of 0 means any port above 1023 |
| Local user upload bandwidth | integer | only available in Advanced Mode; in KB/s, default of 0 means unlimited |
| Local user download bandwidth | integer | only available in Advanced Mode; in KB/s, default of 0 means unlimited |
| Anonymous user upload bandwidth | integer | only available in Advanced Mode; in KB/s, default of 0 means unlimited |
| Anonymous user download bandwidth | integer | only available in Advanced Mode; in KB/s, default of 0 means unlimited |
| Enable SSL/TLS | checkbox | enables encrypted connections; a certificate will automatically be generated and will appear in the "Certificate and private key" box once you click OK |
| Certificate and private key | string | the SSL certificate and private key to be used for encrypting FTP connections |
| Auxiliary parameters | string | only available in Advanced Mode; additional proftpd(8) parameters not covered elsewhere in this screen |
The following example demonstrates the auxiliary parameters that will prevent all users from performing the FTP DELETE command:
<Limit DELE> DenyAll </Limit>
Anonymous FTP
Anonymous FTP may be appropriate for a small network where the FreeNAS® system is not accessible from the Internet and everyone in your internal network needs easy access to the stored data. Anonymous FTP does not require you to create a user account for every user. In addition, passwords are not required so you don't have to manage changed passwords on the FreeNAS® system.
To configure anonymous FTP:
1. Give the built-in ftp user account permissions to the volume/dataset to be shared in Storage → Volumes as follows:
- Owner(user): select the ftp user in the drop-down menu
- Owner(group): select the ftp group
- Mode: review that the permissions are appropriate for the share
NOTE: for FTP, the type of client does not matter when it comes to the type of ACL. This means that you always use Unix ACLs, even if Windows clients will be accessing FreeNAS® via FTP.
2. Configure anonymous FTP in Services → FTP by setting the following attributes:
- check the box Allow Anonymous Login
- Path: browse to the volume/dataset/directory to be shared
3. Start the FTP service in Control Services. Click the red OFF button next to FTP. After a second or so, it will change to a blue ON , indicating that the service has been enabled.
4. Test the connection from a client using a utility such as Filezilla.
In the example shown in Figure 8.6b, a user has input the following information into the Filezilla client:
- IP address of the FreeNAS® server: 192.168.1.113
- Username: anonymous
- Password: the email address of the user
Figure 8.6b: Connecting Using Filezilla
The messages within the client indicate that the FTP connection is successful. The user can now navigate the contents of the root folder on the remote site—this is the volume/dataset that was specified in the FTP service configuration. The user can also transfer files between the local site (their system) and the remote site (the FreeNAS® system).
Specified User Access in chroot
If you require your users to authenticate before accessing the data on the FreeNAS® system, you will need to either create a user account for each user or import existing user accounts using Active Directory or LDAP. If you then create a ZFS dataset for each user, you can chroot each user so that they are limited to the contents of their own home directory. Datasets provide the added benefit of configuring a quota so that the size of the user's home directory is limited to the size of the quota.
To configure this scenario:
1. Create a ZFS dataset for each user in Storage → Volumes. Click an existing ZFS volume → Create ZFS Dataset and set an appropriate quota for each dataset. Repeat this process to create a dataset for every user that will need access to the FTP service.
2. If you are not using AD or LDAP, create a user account for each user in Account → Users → Add User. For each user, browse to the dataset created for that user in the Home Directory field. Repeat this process to create a user account for every user that will need access to the FTP service, making sure to assign each user their own dataset.
3. Set the permissions for each dataset in Storage → Volumes → View Volumes. Click the Change Permissions button for a dataset to assign a user account as Owner of that dataset and to set the desired permissions for that user. Repeat for each dataset.
NOTE: for FTP, the type of client does not matter when it comes to the type of ACL. This means that you always use Unix ACLs, even if Windows clients will be accessing FreeNAS® via FTP.
4. Configure FTP in Services → FTP with the following attributes:
- Path: browse to the parent volume containing the datasets
- make sure the boxes for Allow Anonymous Login and Allow Root Login are unchecked
- check the box Allow Local User Login
- check the box Always Chroot
5. Start the FTP service in Control Services. Click the red OFF button next to FTP. After a second or so, it will change to a blue ON, indicating that the service has been enabled.
6. Test the connection from a client using a utility such as Filezilla.
To test this configuration in Filezilla, use the IP address of the FreeNAS® system, the Username of a user that has been associated with a dataset, and the Password for that user. The messages should indicate that the authorization and the FTP connection are successful. The user can now navigate the contents of the root folder on the remote site—this time it is not the entire volume but the dataset that was created for that user. The user should be able to transfer files between the local site (their system) and the remote site (their dataset on the FreeNAS® system).
Encrypting FTP
To configure any FTP scenario to use encrypted connections:
1. Enable SSL/TLS in Services → FTP. Check the box Enable SSL/TLS. Once you press OK, a certificate and key will automatically be generated for you and proftpd will restart and be configured to use that certificate. If you prefer to use your own certificate, delete the automatically generated one that appears in the "Certificate and private key" field and paste in your own certificate and key.
2. Train your users to specify secure FTP when accessing the FreeNAS® system. For example, in Filezilla input ftps://IP_address (for an implicit connection) or ftpes://IP_address (for an explicit connection) as the Host when connecting. The first time a user connects over an encrypted connection, they should be presented with the certificate of the FreeNAS® system. Click OK to accept the certificate and negotiate an encrypted connection.
Troubleshooting
The FTP service will not start if it can not resolve the system's hostname to an IP address using DNS. To see if the FTP service is running, open Shell and issue the command:
sockstat -4p 21
If there is nothing listening on port 21, proftpd isn't running. To see the error message that occurs when FreeNAS® tries to start the FTP service, go to System → Settings → Advanced, check the box “Show console messages in the footer” and click Save. Next, go to Services → Control Services and switch the FTP service off then back on in the GUI. Watch the console messages at the bottom of the browser for errors.
If the error refers to DNS, either create an entry in your local DNS server with the FreeNAS® system's hostname and IP address or add an entry for the IP address of the FreeNAS® system in the "Host name database" field of Network → Global Configuration.
