Not able to access FTP server from other machines in same LAN when Windows Firewall is ON

I have FTP server configured on my Windows 10. When I turn off my Windows Firewall I can access the FTP server from other machines on the same LAN. But when I turn on the firewall, I cannot access the FTP. These are my firewall inbound rules that I feel are specific to my issue (I was thinking to snip and share full windows firewall rule list. But its huge. Please point me to any other rule that I need to tweak. I will snip it and share here.)

Inbound Rules enter image description here enter image description here

Outbound Rules enter image description here enter image description here

Please tell me what is ill configured. (Am on Windows 10)


Solution 1:

For FTP you will want to ensure you open both TCP ports 20 and 21. Additionally, if the server service running on the machine uses passive mode, then you will also need to open up the TCP port range the FTP server is configured to use.

Quick Port Breakdown

It appears you are running insecure FTP on TCP ports 20 and 21 (i.e. active and passive), and maybe also FTPS with implicit SSL on TCP port 990 and 989.

The FTP protocol uses a port/channel for the controls/commands and another port/channel for the data exchange portion of the client and server.

Insecure FTP

  • Command channel: TCP Port 21
  • Data channel (active): TCP port 20
  • Data channel (passive): <FTP Server configured TCP port range>

FTPS with implicit SSL

  • Command channel: TCP Port 990
  • Data channel (active): TCP port 989

Command Line Firewall (this section should fix the problem)

Run the below in command line elevated as administrator to create a Windows Firewall rule allowing inbound traffic to your FTP server service to communicate on the applicable command and data ports for any IP address and any profile scope of Windows OS classified networks.

You need to specify the program="<C:\FTPServer\FTPServer.exe>" value appropriate to your server or else use the service=<ftpsvc> in its place instead pointing to the service name instead.

netsh advfirewall firewall add rule name="FTP Inbound" dir=in action=allow program="%windir%\system32\svchost.exe" remoteip=any localip=any protocol=TCP localport=20,21,990,989 remoteport=20,21,990,989 profile=any

Run the below to disable stateful FTP filtering so that the firewall does not block any FTP traffic so you don't need to open up the entire passive port range to allow that traffic.

netsh advfirewall set global StatefulFTP disable

Windows Firewall GUI

Be sure that you have the scope defined in the rules so the IP address range of the LAN are allowed through or else allow any IP address through. Lastly, you will want to ensure the network adapters on the server are configured in a profile the firewall rule allows.

Ports

Note: Add the passive port range if applicable.

enter image description here

Scope

enter image description here

Profiles

enter image description here


Further Resources