I suggest you use what comes with OSX, namely sftp/scp, included with every OSX since the age of dawn.
Enable SSH in the sharing (Remote Login), configure what users have access and then try to use sftp from the Terminal (if you are familiar with it). Try
man sftp
to see the help.
DESCRIPTION
sftp is an interactive file transfer program, similar to ftp(1), which
performs all operations over an encrypted ssh(1) transport.
You have the benefits of "ftp-like" plus everything is encrypted.
If you still want to go ahead and use ftp, I suggest you take a look at ftpd conf file, located in /etc/ftpd.conf and /etc/ftpusers
In any case, take a look at the man page for ftpd.conf and ftpusers:
man ftpd.conf
man ftpusers
…to see other options you can add there (because the default one will be most likely empty or with little things in it).
There's no pretty program to configure FTP on OSX (there is on the Server version as far as I can remember).
Please note that FTP is not a very secure protocol by default and hence it should be running inside a chroot. (hint: man ftpchroot).
OS X actually has (at least) 3 firewalls. Since you've turned off the application firewall (in System Preferences -> Security & Privacy -> Firewall) and checked the Berkeley packet filter (pfctl -sa
), I'm guessing it's the old ipfw that's doing the blocking. You can check with sudo ipfw show
-- that'll list the active rules, along with counts of how many packets and bytes each one has applied to:
$ sudo ipfw show
01000 19228642 23229993542 allow ip from any to any via lo0
01010 0 0 deny ip from any to 127.0.0.0/8
[etc...]
65534 23505 3467352 deny ip from any to any
65535 0 0 allow ip from any to any
If your listing only shows rule #65535 (the allow rule at the end), my guess is wrong and you have to look elsewhere. If it does show other rules, you probably have a third-party firewall config program installed somewhere (I don't think the Apple-supplied ipfw config software is still there in 10.8); take a look in /Library/StartupItems and /Library/LaunchDaemons for things that might be relevant.
Best Answer
The only sure solution I know of for this is to configure VPN on the server then lock down port 5900 on the WAN interface. That will kill the attempts for screen sharing from the public side but allow it when you VPN into the server.
If the port is open on the public-facing WAN side, you can be sure that the port-scanners are going to find it and attempt getting in.