Not able to access FTP server from other machines in same LAN when Windows Firewall is ON
I have FTP server configured on my Windows 10. When I turn off my Windows Firewall I can access the FTP server from other machines on the same LAN. But when I turn on the firewall, I cannot access the FTP. These are my firewall inbound rules that I feel are specific to my issue (I was thinking to snip and share full windows firewall rule list. But its huge. Please point me to any other rule that I need to tweak. I will snip it and share here.)
Inbound Rules
Outbound Rules
Please tell me what is ill configured. (Am on Windows 10)
Solution 1:
For FTP you will want to ensure you open both TCP ports 20
and 21
. Additionally, if the server service running on the machine uses passive mode, then you will also need to open up the TCP port range the FTP server is configured to use.
Quick Port Breakdown
It appears you are running insecure FTP on TCP ports
20
and21
(i.e. active and passive), and maybe also FTPS with implicit SSL on TCP port990
and989
.The FTP protocol uses a port/channel for the controls/commands and another port/channel for the data exchange portion of the client and server.
- Command channel: TCP Port
21
- Data channel (active): TCP port
20
- Data channel (passive):
<FTP Server configured TCP port range>
FTPS with implicit SSL
- Command channel: TCP Port
990
- Data channel (active): TCP port
989
Command Line Firewall (this section should fix the problem)
Run the below in command line elevated as administrator to create a Windows Firewall rule allowing inbound traffic to your FTP server service to communicate on the applicable command and data ports for any IP address and any profile scope of Windows OS classified networks.
You need to specify the program="<C:\FTPServer\FTPServer.exe>"
value appropriate to your server or else use the service=<ftpsvc>
in its place instead pointing to the service name instead.
netsh advfirewall firewall add rule name="FTP Inbound" dir=in action=allow program="%windir%\system32\svchost.exe" remoteip=any localip=any protocol=TCP localport=20,21,990,989 remoteport=20,21,990,989 profile=any
Run the below to disable stateful FTP filtering so that the firewall does not block any FTP traffic so you don't need to open up the entire passive port range to allow that traffic.
netsh advfirewall set global StatefulFTP disable
Windows Firewall GUI
Be sure that you have the scope defined in the rules so the IP address range of the LAN are allowed through or else allow any IP address through. Lastly, you will want to ensure the network adapters on the server are configured in a profile the firewall rule allows.
Ports
Note: Add the passive port range if applicable.
Scope
Profiles
Further Resources
- FTP Connection Modes (Active vs. Passive)
- Firewall Rule Properties Page: Scope Tab
- Understanding Firewall Profiles
- How to Configure Windows Firewall for a Passive Mode FTP Server