Ftp Passive Mode channel ports usage RRS feed

  • Question

  • Hi,

    I set up an ftp server using IIS and it works fine.
    The only thing is not working as expected is the data channel port range.
    Going to IIS Manager > Connections > server-level node tree > FTP Firewall Support and changing the default 0-0 to a specific port range (such as 5500-5550 that I manually allowed in Win Fw) I found the Windows FireWall was dropping ftp connections using random ports that were out of the range I specified (such as 51255).
    Why ftp connections were still using random ports in the Windows TCP/IP dynamic port range instead of using a random port in the range I set up?
    Now I revert back using the 0-0 in order to have ftp work.

    Additionally, since I'm now using the 0-0 I have the firewall to allow tcp connections from tcp/ip dynamic ports range which is very large...I would like to improve my firewall rule, but if I set it up to allow only from ftpsrv service it doesn't work...also there already was a rule for this which was allowing only from svchost program but it was not enough too....hints?

    Thanks in advance for clarifications

    • Edited by Fenolis Friday, October 9, 2020 1:02 PM
    Friday, October 9, 2020 9:06 AM

All replies

  • Install the OpenSSH feature and set up SFTP on your server. That way you only have to open up port 22.


    Friday, October 9, 2020 7:50 PM
  • Install the OpenSSH feature and set up SFTP on your server. That way you only have to open up port 22.


    The OpenSSH feature could be interesting but I would like to understand what am I missing in FTP configuration
    Saturday, October 10, 2020 8:08 PM
  • Any help please? 
    Tuesday, October 13, 2020 12:09 PM
  • I have a Win10 Home laptop and a Win10 Pro VM with Filezilla installed. 

    At the server level I defined ports 5550-5559.

    In the firewall I defined an inbound rule to allow the traffic.

    In the FTP logs I can see that I used FZ to connect in active mode and it used port 20. Then I switched to passive mode and it used port 5550 for the data channel.

    Is this what you are trying to do?

    Tuesday, October 13, 2020 2:36 PM
  • What I'm saying is that I defined ports range (5500-5550) like you, in "FTP Firewall Support", then in the firewall I defined an inbound rule to allow the traffic like you.
    But I was unable to connect to the ftp server using my client (I used Filezilla too) and checking the server Windows Firewall logs I found that it was dropping my connections thru ports higher than I defined (i.e. 51255).

    So I have to edit the firewall rule to allow traffic on a larger range than I expected: the range that I'm now allowing (and which is working) is the whole Windows TCP/IP dynamic port range. But I expected it was enough to allow the range I specified in IIS.

    Why is it not as I expected? Am I missing some steps or knowledges?

    Wednesday, October 14, 2020 7:27 AM
  • I have no idea. Some thoughts..... 

    Do you have the port range defined at the site level and also at the server level?

    What versions of Windows and IIS are you running? 

    Are you using passive mode because your machine is sitting behind a network firewall device? If not, why use passive?  

    Note that in the image I posted, there is a PASV command immediately before the 5550 DataChannelOpened entry. Do you see an equivalent PASV in your logs? 

    Wednesday, October 14, 2020 6:05 PM
  • As far as I know the port range can be defined at server level only.
    Win 2012 and IIS 6
    Honestly I'm no longer sure I'm using passive mode, I though it was the default mode. I just connect using FZ client and faced the problem I described above.
    I can't find PASV command in my logs and also I have now tried connecting from FZ client (thanks to the rule I set in the ftp server Windows Firewall) and then manually gave the PASV command to see what happen: it entered Passive Mode; so now I'm wondering if it was using Active Mode before...
    I have a hardware firewall in my network but at this time ftp is serving LAN clients only.

    Even if I'm not pretty sure about the active or passive mode, my question remains so...I'm still wondering why I have to allow a so large range of ports to have ftp working...and how could I improve my network security by limiting this ports to be allowed for ftp service only

    Thursday, October 15, 2020 7:18 AM
  • I'll have to boot up my desktop tomorrow and see what VM images I have. Being retired has it's privileges'. The downside is that I don't have access to the hundreds of servers that I used to be able to test with.

    As far as I know, active is the default and you have to use PASV to enter passive mode. In FZ I set this in site manager.


    If you are concerned about security, then refer to my first reply. Implement SFTP. You will only have one port to open and all traffic over the network will be encrypted. You can also use public and private keys to authenticate users which eliminates the need for passwords. 

    At my former employer, we used Bitvise and Tectia to implement SFTP. I tried Cygwin but it sucked. There was no way to really jail a user into a specific directory. I have not had a need to try to break OpenSSH so you would need to test to insure that a user can be locked into a specific folder structure and not given total access to the entire file system of the server.  

    Friday, October 16, 2020 12:00 AM
  • I have a 2012 R2 VM that I set to use ports 6660-6669. Those ports show up in the log.

    2020-10-17 00:15:41 - 21 PASV - 227 0 0 85744f52-a49e-4abb-8ee7-b4bd5e7c21fa -
    2020-10-17 00:15:41 - 6660 DataChannelOpened - - 0 0 85744f52-a49e-4abb-8ee7-b4bd5e7c21fa -
    2020-10-17 00:15:41 - 6660 DataChannelClosed - - 0 0 85744f52-a49e-4abb-8ee7-b4bd5e7c21fa -

    Saturday, October 17, 2020 12:19 AM