FTP - Connections Problems

Posted on 2004-11-10
Last Modified: 2008-02-01
Hope you can help.  I'm using a sonicwall tz170 firewall.  Here goes:

I had FTP problems with 3 customers.  Basically they were unable to complete the data connection into our FTP server, the connection just locked up.  I tried all sorts including opening up our firewall for high-ports, ftp ports 20 & 21 for there specific FTP public IP addresses.  This still didn't resolve the issue.

I found a setting in the firewall which "Forces Inbound & Outbound FTP traffic to default to Port 20".  This then resolved the above problem for these 3 customers.

However, this has had a knock on affect with a different customer, where we send the file across into there FTP site, via an automated batch file.  The same is now happening here, the data connection is locking up for me.  I'm fairly confident removing the setting "Forces Inbound & Outbound FTP traffic to default to Port 20" which remove this problem.

We are in the same boat as this customer, where they don't want to change things that will affect other customers, and I'm the same here.  Plus from a security point of view, with all these back door threats\trojans, I'm very reluctant to continue to leave a server open for high-ports.

Does anyone have any suggestions ?  I'm thinking of upgrading to the sonicOS enhanced edition, if this will give me more options with ftp ?

Question by:stevendunne
    LVL 57

    Accepted Solution

    sounds like some clients are connecting actively and some are connecting passively

    Passive and Active FTP

    There are two types of FTP (File Transfer Protocol) these are Active and Passive

    Active FTP

    Pros (good for network administrators)
    Cons (not so good for the client)

    The FTP server will try and make a connection on a lot of high port numbers (these could well be blocked on the clients side Firewall)

    Passive FTP

    Pros (good for the client)
    Cons (Not good for the network administrators)

    The client makes the connection to the FTP server, and one will be a high port number that will almost certainly be blocked by the network firewall (server side)


    To strike a happy medium, administrators can make their FTP servers available to many clients by supporting passive FTP; reserving a range of port numbers does this, in this way all other ports can be firewalled, thus decreasing the security risk

    Luckily, there is somewhat of a compromise. Since administrators running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. Specifying a limited port range for the FTP server to use can minimize the exposure of high-level ports on the server. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.


    Author Comment

    I spoke to the network admin at the other end and his ftp is "active".

    Am I causing all the problems by enabling "Forces Inbound & Outbound FTP traffic to default to Port 20" ?

    If the other side enable passive ftp, will I have problem as I have this "Forces Inbound & Outbound FTP traffic to default to Port 20" setting in place ?

    Finally, how do I check if my ftp is passive\active and how could I change ?
    LVL 57

    Expert Comment

    by:Pete Long
    >>Finally, how do I check if my ftp is passive\active and how could I change ?

    if your passive you will have a lot of high (above 1024) ports open o the firewall
    LVL 9

    Expert Comment

    If you want to avoid opening a boatload of high ports on your server, you could probably force passive FTP to use a specific port (the server normally just picks a random port and tells the client to initiate the data connection with that).

    For IIS the following article might be useful to you:

    You'd then just need to open the port that you chose on the firewall.

    Most ftp clients can connect to in passive mode by issue a literal command: PASV (that'll put the FTP server in passive mode).

    I hope that helps.
    LVL 57

    Expert Comment

    by:Pete Long

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now