HOWTO: Setup passive FTP with your Firewall

[AbsolutelyFreeW]

This tutorial involves restarting IIS. Please be advised this can lead to loss of data. DO AT YOUR OWN RISK.

1. Take down firewall
2. Enable ports 5001 thru 5010 (or any other valid interval)
3. Raise firewall

4. Take a backup of IIS metabase
5. Enable direct metabase edit
6. Set PassivePortRange Metabase Property in the IIsFtpService object to a valid range. This is done in the Metabase.xml in your system32/inetssrv folder. The default MSFTP range is 1025-5000. But user-defined values are valid only in the inteval 5001 to 65535 . I chose to set this to 5001-5010 in step 2.
4.Restart IIS
5.Check the system log and look for IIS config errors
6. If error restore metabase and try again, otherwise, disable direct metabase edit.

Good luck

 

[atinoco]

Thanks for this howto

There no PassivePortRange property in my C:\WINNT\system32\inetsrv\metabase.xml file.

what format should i use to add it?

 

[oatmeal@]

http://support.microsoft.com/?id=555022

 

[Traged1]

Yes very helpfull, thank you.

Do you also know of an easy way to add the port range to windows firewall? As far as I can tell I will have to manually add 200 ports manually to the firewall since niether PLESK firewall or Windows firewall appear to accept port ranges?

 

[AbsolutelyFreeW]

Do you need 200 ? In the tutorial I had only 10

 

[atinoco]

I never got this issue 100% solved, i kinda told my clients that had problems to use PORT (active) mode, I would love to keep working on this issue though.

I just checked setting PassivePortRange="5500-5520", then restarted FTP

logged into the ftp using cuteftp pro and i notice PASV connection being made at ports 5055, 5057,5063,5062

then checked setting PassivePortRange="5500-5700", and restarted FTP

i notice PASV connection being made at ports 5059, 5060,5061

Strange

anybody got feedback on this? maybe a bug?

 

[AbsolutelyFreeW]

have you edited metabase as described above?

You may also order plesk support from me and have it done

 

[Traged1]

Well, if you only set ten ports, I would think that you might be limiting the connections, but I am not sure. I know on our Linux servers we use 1000 ports for passive transfer, maybe windows hanldes it differently?

 

[AbsolutelyFreeW]

You are limiting concurrent connections then yes. Depends on how busy the server is. You might want to invest in a decent firewal that you can set port ranges with

 

[atinoco]

I was thinking about that exactly, got any firewall suggestions?

 

[AbsolutelyFreeW]

I use visnetic firewall, costs $199. I later found it is the 8signs firewall branded. The firewall is a low level firewall only, doesnt look in the software layer, and needs a bit getting used to for setting up all ports etc, but for differnting differnt port and ip ranges, banning or pitfalling ips, and even filter bad http calls, it does its work.

 

[atinoco]

just found this tutorial

http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in " ".
FOR /L %I IN (5001,1,5201) DO netsh firewall add portopening TCP %I "Passive FTP"%I
3. Each port in the range will be added with an "OK" confirmation.

Havent tried this yet, will confirm if it works in a bit.

 

[AbsolutelyFreeW]

that would be nice, thank you.

this is much like what pfwmng.js (plesk fiewall) has been doing before introduction of windows firewall, but then using netsh ip routing instead.

 

[Traged1]

Yes I can confim that this works very well to add the whole port range to windows firewall exceptions. They will not show up in PLESK firewall, but they are there in windows firewall settings.

Thanks, this saves me a tonn of time.