FTP IIS Passive



Using Windows Firewall with non-secure FTP traffic

To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:

  1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
  2. To open port 21 on the firewall, type the following syntax then hit enter:

    netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21
  3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:
    netsh advfirewall set global StatefulFtp enable

Important Notes:

  • Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.
  • FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.)

FPT passive /Data port channel

netsh int ipv4 set dynamicport tcp start=10000 num=1000