It is important when using an SPI firewall to ensure FTP client applications are configured to use Passive (PASV) mode connections to the server.
On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may not be available or fully functional. If this happens, FTP passive mode (PASV) won't work. In such circumstances you will have to open a hole in your firewall and configure the FTP server to use that same hole.
For example, with proftpd you could add the port range 30000:35000 to TCP_IN
in /etc/csf/csf.conf
and add the following line to /etc/proftpd.conf
:
PassivePorts 30000 35000
Restart Proftpd:
service xinetd restart
FTP over SSL/TLS will usually fail when using an SPI firewall. This is because of the way the FTP protocol established a connection between client and server. iptables fails to establish a related connection when using FTP over SSL because the FTP control connection is encrypted and so cannot track the relationship between the connection and the allocation of an ephemeral port.
If you need to use FTP over SSL, you will have to open up a passive port block in both CSF and your FTP server configuration (see above).