FTP/SSL in passive mode with portrange, which ports has to be open on the firewall?

firewall ssl ftp port
44,979

Solution 1

Slacksite has a good explanation of how FTP operates in active vs. passive mode, and definitive information on the data connection behaviour is in RFC 4217, § 7.

Basically, assuming your clients use passive mode and explicit SSL (e.g. connects on control port 21 instead of 990 for implicit SSL), you would need to allow incomming connections to the control port 21 and your 5 data ports from any clients high port range to the server, and outgoing established connection packets from the respective ports to random high ports. Active FTP is normally not a good idea as server will try to actively open a connection to the client, which most client side stateful firewalls will not allow if not configured accordingly.

Solution 2

Yes, FTPS has big issues in terms of port use. It retrofitted encryption on a protocol, FTP, that was designed for a network without firewalls and black hats.

However SFTP has significant performance issues with large files and high latency (or long distance) connections. So as bandwidth improvements allow larger file transfers, SSH/SFTP's limitations become more significant and FTPS is the only other alternative.

Solution 3

Usually, explicit "active" FTPS is port 990 and the control port is 989. Passive is the same as active but just means that in addition to 989 you use a few ports over the 1024+ range open on the server (for the client to initiate data connection), depending on how you configured your server.

Personally I prefer to use NULL FTP Server, run a implicit SFTP on port 22, and just have single port implementation.

Share:
44,979

Related videos on Youtube

Admin
Author by

Admin

Updated on September 17, 2022

Comments

  • Admin
    Admin over 1 year

    We have to use FTP over SSL on our server and use a portrange with 5 ports for the data connection. A firewall is between client and server. We have to know what we have to open at the firewall: port, protocoll, in- or outcomming. Does anybody know this?

    • Admin
      Admin almost 15 years
      What OS are you using?
    • Admin
      Admin almost 15 years
      I will not configure the firewall by myself, I only have to assign what have to be opened. So I don't know wich OS the firewall is.
  • Luthoz
    Luthoz almost 15 years
    tools.ietf.org/html/rfc4217#page-8 - here is the RFC link
  • Dan D.
    Dan D. almost 15 years
    So if I want to use passive mode and implicit SSL, there will be used port 990 in and out (I suppose with TCP) and then for the data connection the port range also in and out (also with TCP). So the firewall does not to be opened for UDP?
  • Luthoz
    Luthoz almost 15 years
    Yes, the data connections also use TCP, so it should be sufficient to open up all data ports + the control port. Note that the implicit port is reserved, but not yet defined in the RFC. Thus it might be better to also open the normal control port and block non encrypted connections in the FTP Server configuration.
  • LaTeX
    LaTeX about 13 years
    So what is the solution for the asker?
  • Max Barraclough
    Max Barraclough almost 4 years
    'FTPS is the only other alternative' what about HTTPS?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP port > 1023 or TCP port > 1024 for inbound passive ftp traffic?
what ports are used by ftp over ssl?
What firewall ports do I need to open when using FTPS?
Connecting to FTPS (FTP over SSL) with FluentFTP
FtpWebRequest "The remote certificate is invalid according to the validation procedure"
Python Requests, how to specify port for outgoing traffic?
Microsoft Active Directory Port
FTP over SSL for C#
Localhost: "This site can’t provide a secure connection"
WebRequest using SSL