How to protect a FTP server using either a Reverse Proxy or GRE/IPIP Tunnel

A special port type of "FTP" is available in the Dashboard to facilitate the forwarding of FTP connections to your backend server.

Passive Transfer Forwarding

Nothing special is required to forward passive connections. These will be forwarded by default by the "FTP" port type. If you are behind a NAT ensure that your FTP server is set up to correctly Masquerade your public ip address. This IP address must exactly match the IP given to us as your backend server. This can be set via the MasqueradeAddress variable for ProFTPd servers. For GRE/IPIP tunnel'ed servers this means the public IP or Masqueraded IP must be the internal IP on your end of the tunnel.

We recommend setting the Passive Port range to an exceptionally small range in the high port range (e.g 55,000 - 65,000).

Active Transfer Forwarding

If you are protecting your server via a Reverse Proxy backend method it will not be possible to connect to the server via the "Active" transfer mode. This should not be a major issue as in most clients "Passive" is the default and preferred method. From your server side the Active transfer mode can usually be disabled.

For example with ProFTPd add this to your proftpd.conf to disable Active mode:

<Limit PORT>
    DenyAll
</Limit>