Sunday, January 16, 2011

How do I configure Windows Firewall for FTP Server

What ports do I need to open for me to be able to access Windows FTP server (running on Server 2008) for both active and passive FTP? Opening 21 on it's own is not enough.

From serverfault Mr. Flibble

  • Depends on if you're using Active or Passive ftp. Here's the chart from this site which has a great explanation of the differences from a port perspective:

     Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

 Passive FTP :
     command : client >1023 -> server 21
     data    : client >1023 -> server >1023

    So:

    • Active FTP - the firewall must allow incoming connections on TCP/21 and outgoing connections on TCP>1023.
    • Passive FTP - the firewall must allow incoming connections on TCP/21 and TCP>1023

    If you're going to use Passive ftp the best thing to do is to configure the ftp server to use a specific (limited) port range for the client to connect to for the data stream and then open that range on the firewall.

    Mr. Flibble : So 20, 21 and 1023 will do it? All TCP?
    squillman : 20 and 21 are fixed for Active FTP. The other's are random ports greater than 1023.
    Mr. Flibble : Perfect, thanks.
    senfo : The random part is important. Most modern firewalls have special features specifically designed to handle active FTP connections.
    From squillman

  • If you used a real firewall, it would be able look at the PASV command inside the FTP control channel (TCP/21) and open the data port accordingly. Therefor, you only need to open TCP/21 and the firewall takes care of the rest.

    Of course, the usual SOHO routers (and software FWs) won't do this for you. In this case you should stick with a defined port range (~3 ports per concurrent user) like squillman recommended.

    From PEra

  • Hi, I have a similar problem, i am hosting my ftp server on server 2008, i have opened 21,20. That strange thing is, i can access the ftp folder from command prompt, but i cannt browse them with windows explorer. When i disable the firewall on the server, everything works fine, so i know the firewall is blocking something, but i cannot figure out what else i need to open.

    thanks

    From Papillon
Posted by Mu Cat at 5:11 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)