FileZilla Server passive settings

FTP (File Transfer Protocol) may seem a bit old hat in the days of peer-to-peer but is still one of the most widely used transfer protocols, especially in business.

The biggest problem with FTP is that in order to create a connection both parties must be able to communicate over the same ports for both commands and data.  With many users being protected by corporate firewalls, NAT and SPI (Stateful Packet Inspection) Routers it can be tough job.

An excellent technical background on exactly what happens during the FTP process and the differences between Active and Passive FTP can be found here

Configuring FileZilla on Windows to accept Passive FTP connections

Connect to your FileZilla server interface and click on the Passive mode settings

Passive settings for FileZilla server

Here we are telling FileZilla server to use the range of ports that we are going to open on our firewall.  For my sever using Default correctly identifies the fixed IPv4 public Internet address of the server.  If you have connection issues manually enter your fixed IP in the box below by altering the radio button.

Firewall ports to open for passive FTP

Here we can see the firewall rules that I have setup for FTP and FTPS.

We have the internal IP address on the LAN of our FileZilla FTP server and the protocol and port ranges that need to be opened.  FTP uses only TCP ports so you don’t need to open any UDP ports.

Configuring Windows Server Advanced firewall rules for FTP

Using the administrative command line you can specify that you want to open the following ports on your Windows Server firewall.

netsh advfirewall firewall add rule name="FTP (non-ssl)" action=allow protocol=TCP dir=in localport=21

Rather than creating a rule to open all those TCP ports (41500-65535) Windows Server is smart enough to recognise when a high numbered port is needed for data transfer in a FTP session.

netsh advfirewall set global StatefulFtp enable

This command disables the blocking of FTP traffic allowing the requreid ports to be opened only when needed.  You can get all the details on the Windows Server advanced firewall netsh commands from Technet.

Finally, from a client machine outside your network (to simulate real user connections) connect in passive mode using FileZilla client for Windows.

Status: Connecting to
Status: Connection established, waiting for welcome message...
Response: 220 Welcome
Command: USER ftp_user0157
Response: 331 Password required for ftp_user0157
Command: PASS *************
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (213,106,150,123,177,45)
Command: MLSD
Response: 150 Connection accepted
Response: 226 Transfer OK
Status: Directory listing successful

Leave a Reply

Your email address will not be published. Required fields are marked *