How to Configure Windows Firewall for a Passive Mode FTP Server

Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Using the File Transfer Protocol (FTP) service on a server behind a firewall creates a set of challenges because of the way FTP works. A standard mode FTP client initiates a session to a server by opening a “command channel” connection to TCP port number 21. A file transfer is requested by the client by sending a PORT command to the server. The server then attempts to initiate a “data channel” connection back to the client on TCP port number 20. A typical firewall running on the client sees this data channel connection request from the server as unsolicited and drops the packets, causing the file transfer to fail. Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 support stateful FTP, which allows it match inbound connection requests on port 20 with previous outbound PORT commands from the client. However, if you use FTP over SSL to encrypt and secure the FTP traffic, then the firewall can no longer inspect the inbound connection requests from the server, and they are blocked.

To avoid this issue, FTP also supports a “passive” operational mode in which the client initiates the data channel connection. Instead of using the PORT command, the client sends a PASV command on the command channel. The server responds with the TCP port number to which the client should connect to establish the data channel. By default, the server uses an available port in the ephemeral range (1025 through 5000). To better secure the server, you can restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic on only those allowed port numbers.

This topic discusses how to:

  1. Configure the FTP service to only use a limited number of ports for passive mode FTP

  2. Configure an inbound firewall rule to allow inbound FTP connections on only the allowed ports

The following procedure shows the steps for configuring the FTP service on Internet Information Services (IIS) version 7.0. If you are using a different FTP service, then consult that product’s documentation for appropriate steps. Configuring support for SSL is beyond the scope of this topic. For more information, see the IIS documentation.

Configure the FTP service to only use a limited number of ports for passive mode FTP

  1. In the IIS 7.0 Manager, in the Connections pane, click the top node for your server.

  2. In the details pane, double-click FTP Firewall Support.

  3. Enter the range of port numbers that you want the FTP service to use. For example, 41000-41099 allows the server to support 100 passive mode data connections simultaneously.

  4. Enter the external IPv4 address of the firewall through which the data connections arrive.

  5. In the Actions pane, click Apply to save your settings.

You must also create a firewall rule on the FTP server to allow inbound connections on the ports you configured in the previous procedure. Although you could create a rule that specifies the ports by number, it is easier to create a rule that opens any port on which the FTP service is listening. You limit the ports on which FTP is listening by following the steps in the previous procedure.

Configure an inbound firewall rule to allow inbound FTP connections to only the ports on which FTP is listening

  1. Open an Administrator command-prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator.

  2. Run the following command:

    netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in
  3. Finally, disable stateful FTP filtering so that the firewall does not block any FTP traffic.

    netsh advfirewall set global StatefulFTP disable