FirewallIt is suicide to run any network connected server or PC without a decent condom, in this case a proper firewall. At last firewall designers have changed the thinking model from …allow all, ban unwanted’ to …ban all, allow wanted’, a mode of thinking that really should have permeated secure computing right from the start in my opinion. Microsoft eventually came up with an integrated firewall for its operating system, and in all fairness to Microsoft and other firewall developers, the Windows Firewall works well simply because it is developed by the same people who have direct access to the operating system.

However, sometimes the damn thing works too well – and you are left stuck trying to figure out how to punch through it without disabling it completely. Case in point: FTP services.

Windows Firewall automatically blocks all ports, allowing traffic only through user-sanctioned ports and application tunnels. FTP works in that it has a single listener thread which listens on an active port, catches any connection attempts and then farms the work off to a generated worker thread – which obviously needs its own access to the firewall. Obviously this means you automatically sit with a problem because FTP Passive Mode will NOT function properly for any connecting FTP Clients.

So what is the solution? Well obviously you have already given the active port firewall access (usually port 21 for most FTP servers), but the trick is that you also need to define a range of unblocked ports for the worker connections. So, without any further ado:

Automating the addition of unblocked ports in Windows Firewall

From the Command Line:

Click Start, click Run, type cmd, and then click OK.
Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.

FOR /L %I IN (5001,1,5201) DO netsh firewall add portopening TCP %I “Passive FTP %I”

Each port in the range will be added with an “OK” confirmation. In this example we’ve opened ports 5001 to 5201, each with the name Passive FTP #port number# (e.g. Passive FTP 5001)

Obviously, once the firewall has been updated, you’ll need to make sure that your FTP server uses those ports you unblocked for its PASV connections. Most FTP servers have a config setting for defining the port range it utilizes.