Not able to access FTP server from other machines in same LAN when Windows Firewall is ON
For FTP you will want to ensure you open both TCP ports 20
and 21
. Additionally, if the server service running on the machine uses passive mode, then you will also need to open up the TCP port range the FTP server is configured to use.
Quick Port Breakdown
It appears you are running insecure FTP on TCP ports
20
and21
(i.e. active and passive), and maybe also FTPS with implicit SSL on TCP port990
and989
.The FTP protocol uses a port/channel for the controls/commands and another port/channel for the data exchange portion of the client and server.
- Command channel: TCP Port
21
- Data channel (active): TCP port
20
- Data channel (passive):
<FTP Server configured TCP port range>
- Command channel: TCP Port
990
- Data channel (active): TCP port
989
Command Line Firewall (this section should fix the problem)
Run the below in command line elevated as administrator to create a Windows Firewall rule allowing inbound traffic to your FTP server service to communicate on the applicable command and data ports for any IP address and any profile scope of Windows OS classified networks.
You need to specify the program="<C:\FTPServer\FTPServer.exe>"
value appropriate to your server or else use the service=<ftpsvc>
in its place instead pointing to the service name instead.
netsh advfirewall firewall add rule name="FTP Inbound" dir=in action=allow program="%windir%\system32\svchost.exe" remoteip=any localip=any protocol=TCP localport=20,21,990,989 remoteport=20,21,990,989 profile=any
Run the below to disable stateful FTP filtering so that the firewall does not block any FTP traffic so you don't need to open up the entire passive port range to allow that traffic.
netsh advfirewall set global StatefulFTP disable
Windows Firewall GUI
Be sure that you have the scope defined in the rules so the IP address range of the LAN are allowed through or else allow any IP address through. Lastly, you will want to ensure the network adapters on the server are configured in a profile the firewall rule allows.
Ports
Note: Add the passive port range if applicable.
Scope
Profiles
Further Resources
- FTP Connection Modes (Active vs. Passive)
- Firewall Rule Properties Page: Scope Tab
- Understanding Firewall Profiles
- How to Configure Windows Firewall for a Passive Mode FTP Server
Related videos on Youtube
Maha
Updated on September 18, 2022Comments
-
Maha over 1 year
I have FTP server configured on my Windows 10. When I turn off my Windows Firewall I can access the FTP server from other machines on the same LAN. But when I turn on the firewall, I cannot access the FTP. These are my firewall inbound rules that I feel are specific to my issue (I was thinking to snip and share full windows firewall rule list. But its huge. Please point me to any other rule that I need to tweak. I will snip it and share here.)
Please tell me what is ill configured. (Am on Windows 10)
-
Maha about 6 yearsWhat exactly I have to do? Just want to note that it seems that I have multiple instances of same rule. For example in above question screenshots I have two entries of "FTP Server (FTP Traffic-In)". Similar for other entries. I dont know if they are duplicate, just that it seems same to me. I have uploaded screenshots of different tabs of different distinct rules arranged vertically one below other (read titlebar of windows for rule name) here. As you can see, local/remote ports checkbox is greyed out. (continued...)
-
Maha about 6 years(...continued) Rest of the settings I have done the way you told. But not working yet. Please see screenshots once and tell me what I am missing.
-
Maha about 6 yearsI am using Windows's built in FTP which can be enabled through "Turn Windows features on or off" window. And managing it through IIS Management console.
-
Maha about 6 yearsAnd I have
%windir%\system32\svchost.exe
listed in This program field of Program and Services tab of all thos FTP related inbound rules. -
Maha about 6 yearsI ran
netsh advfirewall set global StatefulFtp disable
and thennetsh advfirewall firewall add rule name="FTP Inbound" dir=in action=allow program="%windir%\system32\svchost.exe" remoteip=any localip=any protocol=TCP localport=20,21,990,989 remoteport=20,21,990,989 profile=any
. Now its working!!! It seems a lot complex than I thought it would be. Now I have to understand all this :( Super thanks anyway. And if possible please summarize what was the issue and how you solved it. I mean I really dont understand the command. Understanding it will consume some hours now :( -
Vomit IT - Chunky Mess Style about 6 years@Mahesha999 I've updated my answer and cleaned up my comments on those pointers, etc. that helped you resolve.
-
Tim_Stewart about 6 years@pimp juice it, dude.. nice answer!
-
drizin almost 5 yearsWhy are you restricting remote ports? Why in your command you're restricting it to 989 and 990 (both local and remote) while in your screenshot you're using a port range?
-
drizin almost 5 yearsYour rule worked fine for me as long as I don't restrict remote ports and use the wide port range (20,21,50000-55000) for local port. This range associated to the svchost.exe look safe enough.
-
user2728841 over 3 yearsI don't think you need port 20. Mine was ok without that