2

What ports do I need to open for me to be able to access Windows FTP server (running on Server 2008) for both active and passive FTP? Opening 21 on it's own is not enough.

Mr. Flibble
  • 723
  • 3
  • 13
  • 23

3 Answers3

5

Depends on if you're using Active or Passive ftp. Here's the chart from this site which has a great explanation of the differences from a port perspective:

 Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

 Passive FTP :
     command : client >1023 -> server 21
     data    : client >1023 -> server >1023

So:

  • Active FTP - the firewall must allow incoming connections on TCP/21 and outgoing connections on TCP>1023.
  • Passive FTP - the firewall must allow incoming connections on TCP/21 and TCP>1023

If you're going to use Passive ftp the best thing to do is to configure the ftp server to use a specific (limited) port range for the client to connect to for the data stream and then open that range on the firewall.

squillman
  • 37,883
  • 12
  • 92
  • 146
0

I have a similar strange problem that all the ports (21, 20, and 5500 for pasv) are open in windows firewall (server 2003) yet telnet proves that even 21 is blocked when the firewall is on. Everything works fine whenever the firewall is off. And on top of that, there are certain times of the day (totally random) when it works regardless. Until it doesn't. And when it doesn't, turning off windows firewall fixes it. It's not the FTP server, that's not even logging an attempt to connect.

Patrick
  • 99
  • 1
  • 5
0

If you used a real firewall, it would be able look at the PASV command inside the FTP control channel (TCP/21) and open the data port accordingly. Therefor, you only need to open TCP/21 and the firewall takes care of the rest.

Of course, the usual SOHO routers (and software FWs) won't do this for you. In this case you should stick with a defined port range (~3 ports per concurrent user) like squillman recommended.

PEra
  • 2,875
  • 18
  • 14