Passive ftp incoming through Windows friewall

[Jim Helfer]

I have a Windows 2003 Web edition server (Is there a specific forum
for this platform? This is as close as I could get) running an IIS ftp
site (no anonymous access) with an activated windows firewall.

I can't get "passive" ftp connections to successfully connect. I tried
adding port 21/udp to the exception list, but this didn't really help.

Is there a way to allow passive ftp connection through the windows
firewall?

Thanks
Jim Helfer
WTW Architects
Pittsburgh PA

 

[Sean Cai [MSFT]]

Hi,

Thank you for posting in the Microsoft newsgroup!

From your post, my understanding on this issue is: you have problem on
using passive mode ftp. If I'm off base, please feel free to let me know.

You will have problem on using passive mode ftp server with firewall
because ephemeral ports are involved in the procedure.

Here are the articles talking about passive mode ftp server behavior:
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
The File Transfer Protocol (FTP) and Your Firewall / Network Address
Translation (NAT) Router / Load-Balancing Router
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#PASVFirewallProb
lems

Regarding to the following KB, IIS uses ephemeral port range of 1024
through 5000:
How to configure Internet Explorer to use both the FTP PORT mode and the
FTP PASV mode in the Windows Server 2003 Family
http://support.microsoft.com/kb/323446

You can enlarge the ephemeral port range by editing a registry. However, by
default it's not possible to shrink the range. Here's an article for your
reference:
Windows TCP/IP Ephemeral, Reserved, and Blocked Port Behavior
http://www.microsoft.com/technet/community/columns/cableguy/cg1205.mspx

Though the system doesn't allow you to set a smaller range for ephemeral
ports, I think it's possible to shrink it by reserving/blocking part of the
ports.

Note: You should be very prudential on this operation, since
reserving/blocking too many ephemeral ports will cause some important
operations fail (Eg. DNS).

Hope my reply could reach your concern.

Have a good day!

Note: This response contains a reference to a third party World Wide Web
site. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any software
from the Internet.

Sean Cai, MCSE2000
Microsoft Online Support

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

 

[Jim Helfer]

Hi,

Thank you for posting in the Microsoft newsgroup!

From your post, my understanding on this issue is: you have problem on
using passive mode ftp. If I'm off base, please feel free to let me know.

You will have problem on using passive mode ftp server with firewall
because ephemeral ports are involved in the procedure.

Here are the articles talking about passive mode ftp server behavior:
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
The File Transfer Protocol (FTP) and Your Firewall / Network Address
Translation (NAT) Router / Load-Balancing Router
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#PASVFirewallProb
lems

Regarding to the following KB, IIS uses ephemeral port range of 1024
through 5000:
How to configure Internet Explorer to use both the FTP PORT mode and the
FTP PASV mode in the Windows Server 2003 Family
http://support.microsoft.com/kb/323446

You can enlarge the ephemeral port range by editing a registry. However, by
default it's not possible to shrink the range. Here's an article for your
reference:
Windows TCP/IP Ephemeral, Reserved, and Blocked Port Behavior
http://www.microsoft.com/technet/community/columns/cableguy/cg1205.mspx

Though the system doesn't allow you to set a smaller range for ephemeral
ports, I think it's possible to shrink it by reserving/blocking part of the
ports.

Note: You should be very prudential on this operation, since
reserving/blocking too many ephemeral ports will cause some important
operations fail (Eg. DNS).

Hope my reply could reach your concern.

Have a good day!

Note: This response contains a reference to a third party World Wide Web
site. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any software
from the Internet.

Sean Cai, MCSE2000
Microsoft Online Support

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

So, I'm "MS built in firewall doesn't support passive ftp."

 

[Sean Cai [MSFT]]

Hi,

I think that's more like "all firewalls don't friendly to passive ftp".

Since the build in firewall can't allow an application to use a specific
scope of ports, if your clients reside in certain subnets or use static IP,
you can set an IP/subnet list, the clients in the list can access ftp
without limit.

Otherwise, the only way to let the passive ftp function is to allow ftp
server talks to everyone on every port and this is obviously too dangerous.

Best Regards,

Sean Cai, MCSE2000
Microsoft Online Support

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

 

[Harry Johnston]

I think that's more like "all firewalls don't friendly to passive ftp".

Actually there are plenty of firewalls that support passive ftp. Of course,
they have to parse the ftp traffic to do so.

Harry.