Configuring An FTP Server Behind A Firewall

Recently, I had the joy of configuring linux and windows FTP servers behind a firewall acting as a load balancer.  I figured that this would be simple enough, as FTP by default uses TCP Port 21 (FTP Control Port) and TCP Port 20 (FTP Transfer Port).  Sadly, what most people fail to realize, that this only work for FTP in Active mode.  For NAT traversal, mot FTP clients connect as Active, and then switch to FTP Passive mode (which on a secure Firewall, causes FTP to stop working).  The solution is to limit the random ports that your FTP server uses in passive mode.

Technically you can use most port ranges above 5000, but for this example, I’ll only use 20 ports from port 10000 to 10019.

Here’s how to do it with IIS6 and IIS7 FTP server:

cd \Inetpub\adminiscripts
<strong>adsutil.vbs set /MSFTPSVC/PassivePortRange "10000-10019"</strong>

And for for VSFTPd for linux, you can add the following to vsftpd.conf:


For a little bonus, you may need to also add the following to vsftpd.conf to publish the correct IP address to the client if you’re behind a firewall. #put your public ip address in here, not the private ip

If this step isn’t done, your clients may get information from your server’s private ip address, which technically isn’t routable back to your network (ie, the client gets information from (rather than your public, routable IP), which causes traffic to stay within their own private network, rather than going to you.


If you want to configure your firewall with port forwarding, see this post about how to go about it.

This entry was posted in FTP, Networking and tagged , , . Bookmark the permalink.

Comments are closed.