CloudVPS Objectstore FTP proxy firewall rules for CSF

By | January 1, 2017

In the recent past CloudVPS had one Objectstore FTP proxy located under ftp.objectstore.eu which only required port 20 and port 21 to be opened in the firewall. Since the load of the proxy was getting higher and higher CloudVPS upgraded their platform with (currently) four FTP backend servers, and ftp.objectstore.eu became a loadbalancer. This means that traffic goes to ftp.objectstore.eu and is send to one of the FTP backend servers which handles further traffic with your server. Because of the new destination after connecting to the loadbalancer, connection tracking does not work and we have to open traffic to the new FTP backend servers.

CloudVPS has added the DNS record “ftp-data.objectstore.eu” which returns the IP addresses of all FTP servers in the backend.

To make the firewall rules as secure as possible configure:

  • Set DYNDNS to a value greater then 0. For example “43200” means that CSF will update the list with IP addresses of the FTP proxies every 6 hours. In case IP addresses will change your server will find that out within 6 hours (leaving a potential issue for 6 hours, so use a lower value in case you use FTP more often than daily).
  • Add the following line to file /etc/csf/csf.dyndns:

tcp|out|d=30000:39000|d=ftp-data.objectstore.eu

This line opens TCP port 30000 to 39000 (= the port range CloudVPS configured in their FTP servers) for the destination ftp-data.objectstore.eu (which will resolve to the IP addresses of the FTP backend servers).

Leave a Reply

Your email address will not be published. Required fields are marked *