General discussion

  • Creator
  • #2310988

    IIS FTP server reply port


    by ngunity ·

    I have a problem where a remote office with strict firewalling is FTPing into an FTP server of mine on a custom port e.g. 12345

    The client is able to connect to the server and sign in but when they issue a ‘put’ command they receive an error message: 500 Invalid PORT Command. MS KB article 281193 describes this problem but doesn’t rely offer a resolution. Essentially the server is returning traffic to the client on a dynamic port and the client side security is blocking the traffic returningfrom the server

    Can anyone offer me a work around for this problem or even better tell me how I can configure my win2k IIS FTP server to only return FTP traffic on a specific port (not a dynamically created one) so the remote site firewall can’t block the traffic?

    Please don’t offer an answer unless you’ve got a decent one.

All Comments

  • Author
    • #3469893

      IIS FTP server reply port

      by beermonster ·

      In reply to IIS FTP server reply port

      FTP has two modes, passive and active. In active mode (which I believe is the default) an initial connection is made on port 21. Most people assume that that is it, a port has been opened so comms can continue, this is not the case. The FTP port 20 is simply a control port, across which the server and client trade information about their connection, rather than any actual data. To trade data, the client sends a PORT command over port 21 which basically says ‘what port shall I use for data transfer’ – to which the server replies with a port number. Now –

      In Active mode, the server always returns port 20 – the ftp well known port – as the data port.

      In passive mode, the server returns a dynamic port in the range of 1024 – 5000.

      In active mode you must open port 20 on the firewalls at either end, the downer is that that this is a well known port and is often scanned, the plus that you only need open a single extra port.

      In passive mode, you must open ports 1024 – 5000 at either end, the plus is that anyone trying to track \ hack you now has to find the right port out of around 4000, the down is that you have to open up nearly 4000 ports.

      In fact (and I’m not a firewall guru by any means) most firewalls allowopening ports for ‘connected sessions’ only. This means that any access via a port must be initiated from inside the firewall, effectively allowing access but preventing attack, and making opening up the dynamic ports far less of a risk (bear in mind that ftp is not the only app that uses dynamic port allocation). So, if you only want to use port 20, and that is opened on both firewalls, then set the server to active mode. Look for info on this by searching

      for “PASV”

      Hope this helps…

Viewing 0 reply threads