Which port must I unblock in firewall for FTPS using WinScp to evade Timeout?

networking firewall ssl winscp ftps
5,869

According to Wikipedia, FTPS have some firewall incompatibilities:

Because FTP utilizes a dynamic secondary port (for data channels), many firewalls were designed to snoop FTP protocol control messages in order to determine which secondary data connections they need to allow. However, if the FTP control connection is encrypted using TLS/SSL, the firewall cannot determine the TCP port number of a data connection negotiated between the client and FTP server. Therefore, in many firewalled networks, an FTPS deployment will fail when an unencrypted FTP deployment will work. This problem can be solved with the use of a limited range of ports for data and configuring the firewall to open these ports.

However, another question on Stackexchange Serverfault lists some ways to solve your problem:

To know exactly what ports you will need to open, you will need to either:

a) talk to the vendor to get specifics about how their system has been configured.

b) Use a protocol analyzer, such as tcpdump or wireshark, to look at the traffic, both from outside your firewall and inside your firewall

You need to find out which port is the Control Connection. You list 3, which seems odd to me. Assuming the server only works in PASV (passive) mode, you need to figure out how the server is configured to allocated DATA ports. Have they locked down the DATA channel to a single inbound port? Have they locked down the DATA channel to a small range or ports?

With these answers, you can start configuring your firewall.

(Answeared by pcapademic on May 21 '09 at 20:28).

Share:
5,869

Related videos on Youtube

Tim
Author by

Tim

Hi! I'm Tim, an informatics student studying my last year at the University of Lund. My main interests are web-applications. Currently working with ASP.NET MVC2. I also like PHP/MySQL but need to learn more ASP.NET because where I'm working its the framework used.

Updated on September 18, 2022

Comments

  • Tim
    Tim almost 2 years

    I'm suing FTPS in WinScp for sending data to my Synology diskstation. When I'm doing it inside a private network using port 21 for connection everything works fine. But when I'm trying the same thing over the internet, I get a connection error once the data transfer should begin. It seems like the connection is successfully done.

    My best guess is that its because the file transfer is using another port than 21 and is being blocked by the firewall. It could also be that I'm not congratulating the firewalls correctly for port 21 in my current set up.

  • Tim
    Tim about 12 years
    Thanks for the information! Could this be the answear to my question? "21 (command), 20 (Data connection in Active Mode), 55536-55663 (Data connection in Passive Mode)" from here
  • Diogo
    Diogo about 12 years
    @Tim: According to the reffered site, it seems it could be. I would take a try.
  • Tim
    Tim about 12 years
    Thank you, I will try it out later today and come back whit the results. Your information seems to be very helping!
  • Tim
    Tim about 12 years
    Hi, I've finally got it working! But I'm not yet sure what of all changes did the thing. I'll research it and explain it later.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Redirect incoming https to local ip with iptables
Connecting to SQL Server Named Instance from Windows 64bit
FTP over SSL for C#
SSL Certificate for multiple servers
How can we troubleshoot intermittent "An existing connection was forcibly closed" errors caused by a Cisco CSS
Accessing LDAP through SSH tunnel
How do I fix UPnP Port Forwarding on Ubuntu using miniupnp?
How can I allow ssh connection from an IP subnet on port 10022 using iptables?
telnet: Unable to connect to remote host: Network is unreachable
Correct way to masquerade IP in iptables