If you have an FTP server or any other server that you want to make available to internet users, just place the server in DMZ zone of your firewall e.g. Huawei USG and configure a destination NAT. You can then easly restrict IP addresses and protocols that can access your server. And this video is just about that 😉
USG firewall configuration script:
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.100.1 255.255.255.252
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 5.0.0.2 255.255.255.252
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 5.0.0.1
#
firewall detect ftp
#
nat server 0 protocol tcp global 6.6.6.1 ftp inside 10.0.100.2 ftp unr-route
#
nat address-group PUBLIC_OUT 2
mode no-pat global
route enable
section 0 6.6.6.1 6.6.6.1
#
security-policy
rule name PUBLIC_OUT
source-zone dmz
destination-zone untrust
source-address 10.0.100.0 mask 255.255.255.252
action permit
rule name PUBLIC_IN
source-zone untrust
destination-zone dmz
source-address 1.1.1.1 mask 255.255.255.255
destination-address 10.0.100.0 mask 255.255.255.252
action permit
#
nat-policy
rule name PUBLIC_OUT
source-zone dmz
destination-zone untrust
source-address 10.0.100.0 mask 255.255.255.252
action source-nat address-group PUBLIC_OUT