PASV FTP and Firewalls
For the ubergeeks:
If you’re running behind a port-based firewall (think “packet filter”) and you want to allow for passive FTP, you’ve got a problem. Passive FTP (which is very friendly to remote firewalls) plays havoc with tightly defined firewalls that protect the server.
If you’re not familiar with the specifics of how FTP works, suffice it to say that it’s a moderately complex affair in which the primary connection is made on port 21, subsequent control connections are made on port 20, and actual transfers occur on a variety of ports.
In “PORT-based FTP”, when a transfer request is made, the client opens a (typically high-numbered) port and tells the server to connect to it. That’s OK unless the client is behind a firewall which blocks the inbound connection to the port on the client machine, but if it is, then you’ve got a problem.
Thus was born “Passive FTP”, in which the client tells the server it wants to initiate a transfer, the server opens a (typically high-numbered) port and tells the client where to connect. See how it turns the process upside down. Now, that’s all well and good, but it means that if you’re managing the firewall ahead of a server that’s doing passive FTP, you’ve got to open up a slew of ports for the server to use for incoming transfers. Yuck.
The solution here is to restrict passive FTP on the server to only use a narrowly defined range of ports (often 5500–5700), and to open up this much smaller in the firewall.
For Windows 2000 and Windows 2003 running IIS 5 or IIS 6, Microsoft has published a nice little page detailing how to set the range of ports used for passive ftp. (Which is really the whole point of this post. Someday, I’m going to need that link again, and now I know where to find it. Hopefully, this’ll help somebody else who needs it, too!)