1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

HOWTO: Setup passive FTP with your Firewall

Discussion in 'Plesk for Windows - 8.x and Older' started by AbsolutelyFreeW, Jul 7, 2005.

  1. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    This tutorial involves restarting IIS. Please be advised this can lead to loss of data. DO AT YOUR OWN RISK.

    1. Take down firewall
    2. Enable ports 5001 thru 5010 (or any other valid interval)
    3. Raise firewall

    4. Take a backup of IIS metabase
    5. Enable direct metabase edit
    6. Set PassivePortRange Metabase Property in the IIsFtpService object to a valid range. This is done in the Metabase.xml in your system32/inetssrv folder. The default MSFTP range is 1025-5000. But user-defined values are valid only in the inteval 5001 to 65535 . I chose to set this to 5001-5010 in step 2.
    4.Restart IIS
    5.Check the system log and look for IIS config errors
    6. If error restore metabase and try again, otherwise, disable direct metabase edit.

    Good luck
     
  2. atinoco

    atinoco Guest

    0
     
    Thanks for this howto

    There no PassivePortRange property in my C:\WINNT\system32\inetsrv\metabase.xml file.

    what format should i use to add it?
     
  3. oatmeal@

    oatmeal@ Guest

    0
     
  4. Traged1

    Traged1 Guest

    0
     
    Yes very helpfull, thank you.

    Do you also know of an easy way to add the port range to windows firewall? As far as I can tell I will have to manually add 200 ports manually to the firewall since niether PLESK firewall or Windows firewall appear to accept port ranges?
     
  5. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    Do you need 200 ? In the tutorial I had only 10
     
  6. atinoco

    atinoco Guest

    0
     
    I never got this issue 100% solved, i kinda told my clients that had problems to use PORT (active) mode, I would love to keep working on this issue though.

    I just checked setting PassivePortRange="5500-5520", then restarted FTP

    logged into the ftp using cuteftp pro and i notice PASV connection being made at ports 5055, 5057,5063,5062

    then checked setting PassivePortRange="5500-5700", and restarted FTP

    i notice PASV connection being made at ports 5059, 5060,5061

    Strange

    anybody got feedback on this? maybe a bug?
     
  7. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    have you edited metabase as described above?

    You may also order plesk support from me and have it done ;)
     
  8. Traged1

    Traged1 Guest

    0
     
    Well, if you only set ten ports, I would think that you might be limiting the connections, but I am not sure. I know on our Linux servers we use 1000 ports for passive transfer, maybe windows hanldes it differently?
     
  9. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    You are limiting concurrent connections then yes. Depends on how busy the server is. You might want to invest in a decent firewal that you can set port ranges with ;)
     
  10. atinoco

    atinoco Guest

    0
     
    I was thinking about that exactly, got any firewall suggestions?
     
  11. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    I use visnetic firewall, costs $199. I later found it is the 8signs firewall branded. The firewall is a low level firewall only, doesnt look in the software layer, and needs a bit getting used to for setting up all ports etc, but for differnting differnt port and ip ranges, banning or pitfalling ips, and even filter bad http calls, it does its work.
     
  12. atinoco

    atinoco Guest

    0
     
    just found this tutorial

    http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html

    Havent tried this yet, will confirm if it works in a bit.
     
  13. AbsolutelyFreeW

    AbsolutelyFreeW Guest

    0
     
    that would be nice, thank you.

    this is much like what pfwmng.js (plesk fiewall) has been doing before introduction of windows firewall, but then using netsh ip routing instead.
     
  14. Traged1

    Traged1 Guest

    0
     
    Yes I can confim that this works very well to add the whole port range to windows firewall exceptions. They will not show up in PLESK firewall, but they are there in windows firewall settings.

    Thanks, this saves me a tonn of time.
     
Loading...