Menu
homeBrowsers

Installing and configuring an FTP server for Windows. Installing and configuring a secure FTP server on FileZilla

The most popular programs for implementing network connections when using a server on a small corporate or home network include a solution such as Filezilla Server. What are the features of setting up this program? What should you pay attention to when setting certain options in the corresponding program?

Filezilla Server: installing the program

Before considering how to configure Windows 8.1, which is necessary to ensure the functioning of Filezilla Server, it is necessary to study the installation features of the program in question. It is necessary to launch the distribution kit that is available to the user. After this, you need to select the optimal software installation mode: standard, full, interface only, FTP only or custom installation. The standard version offers installation of the software in question, with the participation of the user in all the main stages of installing the program. In general, the full version resembles the first one. It also involves copying the source code of the solution in question to a personal computer. The “FTP only” installation scheme involves installing only FTP modules without interfaces for organizing access to it from an administered personal computer. In this case, it becomes possible from a remote computer. The “interface only” installation scheme assumes installation with only the management interface. This can be used to gain access to a remote server. When using the “custom installation” option, various combinations of options are possible. The user can choose the optimal options in terms of ensuring the functioning of the network. Experts generally recommend choosing the standard program installation option. Here you need to select the directory in which the program will be installed. Next, you need to select a model for installing and running the server. There are three possible options:

— installing the server as a service and setting it to start when the computer boots;

— installing the server as a service and setting the program to be launched manually when loading the personal computer;

- use of simple installation when manually downloading software.

In general, when using the first option, FilezillaServer should not have any problems with functionality. The interface can be launched through three mechanisms:

— directly when the system boots for any user;

- when starting the operating system - for a specific user;

- in manual mode.

It will be useful to consider in more detail the criteria for choosing a particular interface loading model.

Installing Filezilla Server: choosing an interface boot model

This feature of the Filezilla Server software installation is of great importance in terms of protecting the server management modules from unauthorized access. Of course, when installing Filezilla Server, a firewall can be configured to minimize the likelihood of unauthorized connections to the network. Organization of access control directly to the computer should be considered as an equally significant aspect of security. If one user is working on a personal computer, then in all likelihood it will be possible to choose the first option for loading interfaces. If several people work on the computer, then in all likelihood the second option for loading interfaces will be more optimal. If you need to further increase the security of using the server, you can configure manual loading of interfaces. After the software in question is installed on the computer, the user will need to set the optimal IP address and port that is supposed to be used to organize access to the server. You must also set a program administrator password.

Filezilla Server: main program interfaces

The Filezilla Server software product, which is configured in several stages, consists of two main interfaces. One of them is the FTP server itself. It functions as an independent system module and cannot be configured through any user interface from an administered personal computer. If necessary, this module can be found in the list of functioning system services through the operating system control panel. Using the appropriate tool that is present in the Windows operating system, the FTP server can be started and stopped if, when installing the server, the option was selected in which its interfaces should be started in manual mode. However, as a rule, Filezilla Server starts automatically as part of the system service in question directly when the personal computer boots. The software in question is represented by an interface that is designed directly to control the main modules. As soon as it is launched, there will be a connection to the modules that perform server functions. When inactive, the program management interface window is minimized to the system tray, which is located near the operating system clock. Let's now look at how, in practice, the corresponding software is configured using the specified interfaces of the FilezillaServer program.

Setting up Filezilla Server: what to pay attention to first?

What should you pay attention to first when setting up the Filezilla Server program? In some cases, some software functions related to monitoring network processes may be useful for a network administrator. For example, through the program control panel you can view the contents of the network process log. Here the actions of certain users who connected to the server are recorded. This interface will display a list of specific personal computers that are in contact with the server. In this way, you can monitor how network traffic is distributed. Another feature of the Filezilla Server program is the ability to use the solution interfaces from other personal computers. To do this, you just need to set specific settings in the service, which by default blocks server management from third-party computers. Experts do not recommend making any changes to the Security Settings options of the software in question. The thing is that when you make adjustments to these settings, you can accidentally set unnecessary restrictions on incoming and outgoing network connections. In the Miscellaneous option, similarly, users will have access to settings that will not have much significance from the point of view of correctly configuring the server. Such settings include prohibiting the display of passwords in interfaces and the size of data transfer buffers. Ensuring the functionality of the network will hardly depend on making changes to the corresponding group of settings. You will also likely not need to configure the Kerberos GSS protocol using the GSS Settings interface. Using the Admin Interface Settings interface, the user can set the optimal IP address and port that will be used to gain access to the server management modules. Please keep in mind that setting up your router has nothing to do with this Filezilla Server option. A different IP is registered on the router. If you use the option we were talking about, you can configure the IP addresses from which computers can access the server. The administrator, when using the Logging option, can activate the recording of various operations within network connections in separate files, and also set a limit on the size of these files. The Speed ​​Limits option, through which the administrator can limit the speed of file transfer between the PC and the server, can be very useful. The restriction in this case can be set permanently or on a schedule. There is another notable option in the Filezilla Server program that allows you to save traffic volumes - Filetransfer compression. It is worth noting that this function can activate the minimum or maximum degree of file compression. You can also register IP addresses, for requests from which traffic compression will not be used.

Filezilla Server: Key Settings

Let's now take a closer look at how the most popular parameters of the Filezilla Server program are set. Setting up the program usually starts from the General Settings page. The software interface is in English. If the user selects this option, he can, for example, change the standard port for connection to some other one. Another setting option is to set the optimal number of users who can connect to the server with the software in question. The corresponding software interfaces also allow you to define settings to terminate communication with a personal computer that cannot correctly connect to the network.

Filezilla Server: IP Configuration

The next important point of the Filezilla Server program is setting up an FTP server in terms of registering IP addresses. In this case, we will talk about using the IP Bindings setting. Setting up an FTP server using this option of the Filezilla Server program can be done by specifying IP addresses through which other computers will connect to the administered one. The user has the opportunity to configure access to the server for personal computers that are located within the local network, or in a certain way to expand the powers of other computers. If you use the IP Filter setting, you can configure specific IP addresses, as well as a range of certain addresses from which it will not be possible to connect to the server. If necessary, you can set certain exceptions.

Passive mode settings

Another notable option in Filezilla Server is the passive mode setting. To do this, the user will need to enable the Passivemode option in the interface of the program in question. Thus, the corresponding setting generates the parameters that are necessary to ensure a passive connection to the administered server. If you make adjustments to some Filezilla Server settings, you may need to configure your router. For example, TP Link and other popular router manufacturers allow you to enter the necessary parameters into the software of the corresponding device. It is important, of course, that the router supports the firewall and NAT functions to enable many of the necessary options. The user will most likely need to specify a specific IP address, which is assigned by the provider. You can find out if you use the router's software interfaces. This problem can be solved successfully regardless of the operating system on which Filezilla Server is installed. Configuring the Windows 7 operating system in terms of gaining access to the appropriate addresses will occur in the same way as if it were a Windows 8.1 operating system. In practice, making adjustments to the IP address settings in most cases is required if there are certain problems with connecting certain personal computers to the server.

Filezilla Server: Server Security Settings

Let's look at setting up security for using server connections. In order to optimize the corresponding parameters of Filezilla Server, we will need to configure SSL. It is carried out through the SSL/TLS Settings interface. In this case, you must activate support for the corresponding protocols. As a rule, it is necessary to record the address of the private key, certificate, and password in the settings. It is worth noting that in practice such options are usually used by experienced system administrators. In general, you do not need to configure SSL when adjusting the default settings. You can also increase server security by filtering unsuccessful user connections.

Filezilla Server: setting up accounts

Another important group of settings for the software in question is related to the registration of user accounts. To create a new account, you need to select the Edit menu item, and then select the Users option. Next, you can work with user accounts. To add a new account, select Add. Then enter the user name, and, if necessary, the group to which the computer should belong. When the necessary settings are completed, you will need to set a password for the created account. You can also activate a limit on the number of connections to the server. Experts advise setting a password for accounts whenever possible, although in principle you can do without it. Technologically, this problem is solved quite simply, especially considering the versatility of the Filezilla Server program. Configuring Windows 7 for access to an external network and setting the necessary options in the Windows 8.1 operating system are performed using the same algorithms.

Filezilla Server: Configuring Folder Sharing

Another notable option in Filezilla Server is setting up folder sharing. For this purpose, you need to use the Share Folders module. To select directories to which you want to organize access, you must click on the Add button, and then select the desired item on the disk. The list of access rights to a particular folder is set in the same way. It is possible to configure operations such as writing, reading, deleting and making changes to files located in a particular directory.

If you need to create an external ftp server, you can use the Filezilla program. If you need an ftp server within a network, it is easier to share access to a folder using standard services.

If you haven't downloaded the program yet, do it right now. After installing and launching it, a small window will appear on your screen to log in.

The host to connect must be 127.0.0.1, port 14147, password - empty.

Now we need to move on to the settings of our future ftp server.

1. You need to create a user to connect to the server from outside. Go to the "Edit" menu and then select "Users"

2.Click the “ADD” button and indicate the user name (account) in the very first field

3. Now you need to add a folder to which the user will connect. Click the "add" button in "shared folders". I added a desktop wallpaper folder.

Password

If you need to specify a password for a user, simply check the box next to "password" and enter it.

Data transfer rate

If a certain user needs to limit the data transfer speed, go to the "Speed ​​Limits" section.

IP filters

To prevent other users from connecting to your server, create your own blacklist on the "Ip filter" tab.

Now click the OK button and try to connect to the server using any FTP client. My connection went without problems, and I ended up in the Wallpaper folder.

But what if your friend or someone you know wants to connect? Only you can connect to the IP address 127.0.0.1, which means you must specify your current IP address. If no one, and even you, cannot connect to the real IP address, there are two options for which the error occurs.

Connection problems

1. Windows Firewall is enabled. By the way, it was precisely because of this that the connection from outside did not work

2. The Internet works through a router. To do this, you will need to register a route to your local IP indicating 21 ports.

Turn off firewall

In Windows XP you need to log in.

Register the route in the router

Unfortunately, I don’t know all the settings of various routers, but I can show with an example how this is done on Zyxel. We go into the shell at 192.168.1.1 and then find the NAt partition. In this section you need to indicate the "Ftp" service, as well as the local IP address of your computer with the Filezilla program (For example, 192.168.1.33, you may have another one), do not confuse it with the real one.

What happens after adding a rule? When a user accesses your real IP on port 21, the router will connect the user to the FileZilla Server program.

If the connection was successful, you can see the connected user in the log, and also see why this or that user was unable to connect.

Hello admin, please explain to me what an FTP server is and can I create it myself on my computer?

In short, I have a regular system unit and three laptops at home, all these machines are connected to the Internet via a router, can I make a real one out of a desktop computer? FTP server, and directly from all laptops download and upload files to it? It’s just that a regular computer has a 3 TB hard drive installed and it turns out that no one uses it, all relatives prefer laptops that are already running out of disk space.

Hello friends! Our Ro8 wrote a great article for you on this topic, read it.

Firstly, FTP is a protocol for transferring files over the Internet using the client-server principle, and An FTP server is a file storage on the Internet, that is, an ordinary computer with Windows 7, 8.1 or Windows Server 2012 installed and several large-capacity hard drives on which any of your files can be located. This computer has a program installed, for example - FileZilla Server, anyone else can connect to this computer using: command line, Windows Explorer and various programs, we will consider two in our article:FileZilla Client, And Total Commander. After connecting to Using an FTP server, you can upload any files (movies, music, etc.) to it and also download them.

ControlThe FTP server will be run by the administrator who installed the program - FileZilla Server. This is where you can assign different access rights to each user. (possibility of changing files on the server): Append (the ability to change files), Read (read only), Write (record), Delete (delete). Naturally, most users do not need to be given Delete rights.

  • Note: From almost any computer or laptop (even with one hard drive) you can make FTP server and connect other computers to it to receive files, and it is not at all necessary that all computers be connected to one router,An FTP server can be created on the Internet and given access to hundreds and thousands of users.

How the work happens

As a software implementation of an FTP server, the article will consider the FileZilla Server program, which will be installed on a machine with Windows Server 2012

Also, the machine from which the connection to the created FTP server will be made is a computer with pre-installed Windows 8.1 Enterprise (x64)

In order for a machine with Windows 8.1 to connect to the FTP server, the FileZilla Client program will be installed on it (one of the methods of connecting using this program)

Go to https://filezilla-project.org and download FileZilla Server and FileZilla Client

Downloaded file We run FileZilla Server on a machine with Windows Server 2012, A FileZilla Client file on a Windows 8.1 machine. Both programs are installed the same way. First of all, let's install the FileZilla Server program.

Installing FileZilla Server

After running the downloaded FileZilla Server file on Windows Server 2012, click next

Click Install

Install

FileZilla Server installation process

Installation completed

After installation, a window like this will open in which we enter the local address of the FTP server and click OK

After entering the local FTP server address, the main window of the FileZilla Server program will appear

Let's make some settings by selecting Edit-Users

On the General tab, to add a new user, click on the Add button

Enter your username. OK

Next to Password, check the box and enter the password of the added user

Go to the Shared Folders tab. On this tab we will add the folder FTP01 which will be available to the created user Ro8. Click Add

Specify the previously created folder FTP01. OK

Select the added folder and specify access rights for it: - Read (read only), Write (write), Delete (delete), Append (the ability to change files in this folder)

Determining the IP address of a machine running Windows Server 2012 (192.168.1.4)

Installing FileZilla Client

We switch to a machine with Windows 8.1 and install the FileZilla Client program

We accept the license agreement

Installation

Installation completed

We have a network represented in the diagram

Let's connect to the FTP server in various ways.

Connect to the FTP server using the command line

On a machine with Windows 8.1, launch the command line.

Specify the username (Ro8) and enter the password. The password is not displayed when entering

Logged on means that we have logged into the FTP server

Create a folder My_Backup_win8.1 on the FTP server by entering the command mkdir My_Backup_win8.1

Let's look at the list of folders on the FTP server by entering the ls command

As you can see, there is a folder My_Backup_win8.1 on the FTP server

Close the connection to the FTP server by entering the bye command

Connecting to an FTP server using the T program otal Commander

Let's launch the Total Commander file manager on a machine with Windows 8.1. To set up a connection to the FTP server, click on the button shown in the screenshot

Click Add

We specify the connection name (optional), server and port (the server is the IP address of the FTP server, the port is set to 21). We also indicate the username and password. OK

Select the created FTP connection and click Connect

Connection to FTP server established

To disconnect from the FTP server, click Disconnect

Disconnection from FTP server completed

Connecting to an FTP server using the program FileZilla Client

Let's launch the FileZilla Client program

The main program window will open

Continuing the topic of transferring files over the Internet, today I’ll talk about the FTP server. Although I gave my preference, the FTP server should not be overlooked, since this is a very popular method of transferring files. So, a little theory. What is FTP?

FTP (File Tranfser Protocol) translated from English means “File Transfer Protocol” and is used for exchanging files between computers via the Internet or local network. To log into the FTP server, a regular browser or even Windows Explorer is enough. The only condition is that port 21 is open (used by default, but can be replaced with your own), that is, it must be open. So, if you have a Firewall or a router, you will have to remember where you have the instructions to forward port 21.

So, let's move on to setting up an FTP server.

1) And the first thing we need is to add components to our operating system. To do this, go to “Control Panel” → “Programs” → “Programs and Features” and click the button on the left “Turn Windows features on or off”:

2) In the list that opens, we need to enable the group of components “IIS Services”, namely: “FTP Server”, “Internet Services” and “Website Management Tools”. It should look the same as in the screenshot:

Click OK and wait for the installation of components to complete. Depending on the edition of your operating system, you may need a Windows installation disc.

In the window that opens, in the left column, open the tree to the “Sites” tab and right-click on this tab. Select “Add FTP site”:

We indicate the name of the site and the directory that will be accessed via the FTP protocol:

Specify the parameters for launching the FTP server. If you do not want the server to start automatically when the system starts, uncheck the box. In the SSL subsection, check “Without SSL”:

On the next page, check the boxes next to “Anonymous” and “Plain” and click done:

The FTP site has been created, let's continue with the setup.

4) Go to “Control Panel” → “System and Security” group → “Windows Firewall” and select “Advanced settings” in the left column:

Go to the “Rules for incoming connections” tab. You need to find and include two items:

— FTP server (incoming traffic);
— FTP server traffic in passive mode (incoming FTP traffic in passive mode).

To do this, right-click on the rule and select “Enable Rule”:

Then go to the “Rules for outgoing connections” tab and enable the “FTP server traffic (outgoing FTP traffic)” rule:

If you have a Firewall or router installed, you need to open port 21(TCP) for incoming connections and port 20(TCP) for outgoing connections.

5) It is necessary to create a user who will have full access to the server via FTP (write/delete). First you need to create a new user group. Therefore, go to “Control Panel” → “System and Security” group → “Administration” → “Computer Management”. In the left part of the window, select the section “Local users and groups” → “Groups”. Right-click on the empty space in the central part of the window and select “Create group...”:

Enter the name and description of the group and click the “Create” button:

Go to the “Users” tab and, by analogy, click on an empty space and select “New User”:

We enter the data and come up with a password (at least eight characters). We also check the boxes for “Prohibit the user from changing the password” and “Password does not expire”:

Open the properties of the new user by right-clicking on it. Go to the “Group Membership” tab. Click the “Add” button → “Advanced” → “Search” and select the group that we created a few minutes ago. Click OK.

Click the “Add” button and add the group that we created. We give the group full access by checking the appropriate box at the bottom of the window:

Click OK to apply the changes.

Go to “Control Panel” → “Network and Security” group → “Administrative Tools” and open “IIS Services Manager” → “Sites” and select our site:

Select “Specified roles or user groups” and enter the name of our group. Give this group read and write permissions and click OK.

We return to the site and go to “FTP Logging”.

Specify the maximum log size or disable it completely. Click “Apply” on the right:

That's all. I hope you found this article useful, click one of the buttons below to tell your friends about it. Also subscribe to site updates by entering your e-mail in the field on the right.

Thank you for your attention:)

This section will briefly review the history and technical details surrounding the FTP protocol. See specifications for details.

Historical information

Against the backdrop of the rapidly developing Internet, the FTP protocol looks not just old, but truly archaic. Early draft protocol specifications date back to 1971, and the current specification began in 1985. Over the past two decades, the protocol has not changed at its core.

In those days, the Internet was used mainly by universities and research centers. The user community was small, most of them knew each other and everyone worked together. The Internet was a friendly network and there was no security issue as such.

Those days are gone and a lot has changed. Technological progress has progressed faster than anyone could have imagined, while a new generation of users has grown up. The Internet is now a ubiquitous phenomenon, allowing millions of people to communicate with each other in many different ways. The main tangible change: the Internet has become hostile. The accessibility and openness of the network has attracted malicious users who actively exploit the mistakes and inexperience of others.

A side effect of this development of events was the following phenomena:

  • NAT routers. Most of the network uses IPv4, which has limited address space (IPv6 is designed to solve this problem). NAT routers allow systems with many devices to share the same IP address.
  • Personal firewalls to protect users from defects in operating systems and applications.

In most cases, these phenomena conflict with the operation of the protocol. The situation is worsened by shortcomings in the routers and firewalls themselves.

However, when configured correctly, FTP offers a reliable and proven method for transferring files.

Technical details

The main difference between FTP and other protocols is the use of secondary connections for file transfer. When connecting to an FTP server, a so-called. control connection, through which protocol commands and responses to these commands are transmitted. In order to transfer a file or directory listing, the client must send commands via a control connection, after which a data connection.

There are two ways to create this connection: active and passive modes.

In passive mode, which is the recommended mode, the client sends a PASV command to the server, to which the server responds with an address. The client then sends a command to transfer the file or directory listing and creates a secondary connection at the address that was received from the server.

In active mode, the client opens a socket on the local device and sends the socket address to the server using the PORT command. After sending a file transfer or listing command, the server creates a connection to the specified address that was specified by the client.

In both cases, the file/listing will be transferred over the data connection.

Creating outgoing connections requires setting fewer parameters for routers/firewalls than creating incoming connections. In passive mode, the connection is outgoing from the client and incoming to the server. In active mode, the client and server change roles - incoming connection for the client and outgoing connection for the server.

Please note that the difference is only in the order of connection, after creating a data connection, data can be either downloaded or uploaded.

A typical network configuration might look like this:

Thus, in passive mode, the router and server-side firewall must be configured to accept and forward incoming connections. In turn, on the server side only outgoing connections should be allowed, and in most cases outgoing connections are allowed.

Similarly, in active mode, the router and firewall on the client side must be configured to accept and forward incoming connections. Obviously, on the server side, only outgoing connections should be allowed.

Because the server usually serves many clients, it is much easier to configure the router and server-side firewall once for passive mode than to configure the client router/firewall for each client in active mode. This is why passive mode is recommended.

NAT routers

Most broadband users have a NAT router located between their computer and the network. This can be a standalone device (possibly a wireless router), or a built-in router in a DSL or cable modem. In a NAT environment, all devices behind the router are local network(LAN), each device on the network has a local IP address (four small numbers separated by dots). The NAT router, in turn, has its own local IP address, as well as an external IP address for identification on the global network. Local addresses are only valid within the LAN; they have no meaning for a remote device. Example:

Let's assume that the server is behind a NAT router. Let's simulate a situation in which the client connects in passive mode, but the server is not provided with the external IP address of the router. In this case, the server sends its local address to the client, after which two things can happen:

  • If the client is not located inside a NAT, the connection will be broken because The server address is not valid.
  • If the client is located inside a NAT, the server address may match the address of the device on the client's own network.

Obviously, in both cases the passive mode will not work.

Thus, if the server is behind a NAT router, it must be given the router's IP address for passive mode to operate. In both cases, the server sends the external address of the router to the client. The client creates a connection with the router, which in turn passes the connection to the server.

Firewalls

Purpose personal firewall is to protect the user from security vulnerabilities in the operating system or applications used. Malicious applications, such as worms, often use these vulnerabilities to infect your system over the network. Firewalls help avoid such cases.

Especially when using FTP, firewall users may receive messages like this:

Trojan Netbus is blocked on port 12345, which is used by the FileZilla.exe process

In almost all cases this message is - false alarm. Any application can select any port for communication over the Internet. It may happen that FileZilla chooses a port that happens to be the default port for a Trojan or other malicious program. The FileZilla distribution downloaded from the official website does not contain viruses.

Smart routers, firewalls, and data sabotage

Some routers or firewalls are quite smart. They analyze connections and, when an FTP connection is detected, silently replace the data transmitted between the client and server. This behavior is data sabotage and can cause trouble if the user has not explicitly allowed this behavior.

Let's give an example. Let's assume that the client is behind a NAT router and is trying to connect to the server. Let's also assume that the client is unaware that it is behind NAT and is using active mode. The client sends a PORT command with its local, non-routable IP address to the server:

PORT 10,0,0,1,12,34

This command tells the server to connect to address 10.0.0.1 on port 12*256+34 = 3106

After this, the NAT router silently replaces the command, including the external IP address, and also creates a temporary port for forwarding the FTP session, possibly even on a different port:

PORT 123,123,123,123,24,55

This command tells the server to connect to 123.123.123.123 on port 24*256+55 = 6199

This behavior allows a NAT router to allow an incorrectly configured client to use active mode.

Why is this behavior not acceptable? If this feature is used by default, without the user's consent, many problems arise from this. An FTP connection will fundamentally work, but once trivial use cases are exhausted, the transfer will fail, leaving little means of diagnosing the problem.

  • A NAT router blindly assumes that some connections belong to FTP based on data such as target ports or server responses:
    • There is no guarantee regarding the protocol used, despite automatic detection (such cases are called false alarm). Although it is unlikely, it is possible that the syntax of the PORT command may change in future versions of the FTP protocol. A NAT router, by modifying the PORT command, changes parameters that it does not support without the user's knowledge, which will cause the connection to be broken.
    • The router's protocol definition may not recognize FTP. Let's assume that the router only monitors the target port, and if this port is 21, it will be recognized as FTP. Active mode connections from an incorrectly configured client to a server on port 21 will work, but connections to other servers on non-standard ports will not.
  • Obviously, the NAT router will not be able to modify the connection if the FTP session is encrypted, leaving the user at a loss, because... Only unencrypted connections will work.
  • Let's assume that a client behind a NAT router sends "PORT 10,0,0,1,12,34". How does the NAT router know that the client is configured incorrectly? It is also possible for a properly configured client to initiate an FXP (server-to-server) transfer between the server to which it is connected and a device that is located on the server's local network.

As we can see, protocol-specific features enabled by default on a NAT router can cause a lot of problems. A good NAT router always and completely works with the protocol without information about the protocol itself. An exception may be the case when the user has explicitly used this feature and is aware of all the possible consequences.

In this subsection we looked at the combination of a NAT router on the client side in active mode, the same reasoning applies in the case of a server behind NAT and responses to the PASV command.

Setting up the FileZilla client

Obviously, to connect to any server, your firewall must allow FileZilla to do this. Most regular FTP servers use port 21, SFTP servers use port 22, and FTP over SSL/TLS (implicit mode) defaults to port 990. Port numbers are not hard-coded, so it is best to allow outgoing connections on any port.

Because There are a lot of incorrectly configured servers on the Internet, or servers that do not support both transmission modes; you are recommended to have both transmission modes on your side.

Passive mode

The client cannot tell the server to choose a port to transmit data in passive mode, so to use passive mode you need to allow outgoing connections on any port on your computer.

Active mode

In active mode, the client opens a socket and waits for a connection from the server to transmit.

By default, the FileZilla client asks the operating system for an IP address and a free port number. This configuration will only work if there is a direct connection to the Internet without NAT routers, and your firewall must also allow the creation of connections on all ports above 1024.

If you have a NAT router, you need to tell FileZilla the external IP address, otherwise active mode connections will not work for servers outside your local network:

  • A static IP address can be specified in the FileZilla settings dialog.
  • If your IP address is dynamic, you have the option to allow FileZilla to obtain an external IP address from a special site automatically every time you launch it. No information will be transferred from you to this site other than the version of the FileZilla client you are using.

If you don't want to allow incoming connections on all ports, or your computer is located behind a NAT router, tell FileZilla to use a specific range of ports for connections in active mode. This range will also need to be opened to your firewall. If you have a NAT router, you need to forward these ports to the local computer where FileZilla is installed. You can transfer a range of ports, or each port individually, it depends on the model of your router.

TCP

Setting up and testing the FileZilla server

Setting up a server for the most part repeats setting up a client; the main difference is that in the case of a server, active and passive modes change roles.

It is important to note that checking the server’s operation in most cases occurs in an erroneous manner; owners of NAT routers make this mistake especially often. While inside the local network, you will be able to test the server only using the local IP address. Using an external address within the local network will not work in most cases for one of the following reasons:

  • The router will block access to its external address from inside the local network as a possible attack
  • The router will forward the connection to your ISP, who will block it as a possible attack.

Even if you were able to connect, you have no guarantee that a user from the external network will be able to do so and, in addition, upload files to your server. The only reliable means of checking the server's operation is a connection from outside your local network.

Active mode

Make sure that the FileZilla server is allowed to create outgoing connections on any port, because in this mode, the client determines the port to connect to.

On the local side of the connection, the FileZilla server tries to use a port value one lower than the port for the control connection (for example, port 20 if the server accepts connections on port 21). However, this is not always possible, so you should not always rely on this feature.

Passive mode

Setting up the server in this case practically repeats setting up the client in active mode.

In passive mode, the server opens a socket and waits for a connection from the client.

By default, the FileZilla server asks the operating system for the computer's IP address and a free port. This configuration only works if the computer is directly connected to the Internet without NAT routers and the firewall is set to allow incoming connections on all ports above 1024.

If you have a NAT router, you need to tell the FileZilla server your external IP address, otherwise passive mode connections will only work within the local network:

  • A static IP address can be specified in the FileZilla server settings dialog.
  • If your IP address is dynamic, you have the option to allow the FileZilla server to obtain an external IP address on a special site automatically every time it starts. No information will be transferred from you to this site other than the version of FileZilla server used.

If you are unsure of your choice, use the second option.

If you don't want to allow incoming connections on all ports, or your computer is located behind a NAT router, tell the FileZilla server to use a specific range of ports for connections in active mode. This range will also need to be opened to your firewall. If you have a NAT router, you need to forward these ports to the local computer on which the FileZilla server is installed. You can transfer a range of ports, or each port individually, it depends on the model of your router.

Available ports range from 1 to 65535, ports below 1024 are reserved for other protocols. For active FTP mode, the best choice is a port number equal to or higher than 50000. Due to the design of the TCP protocol (the protocol that is below the FTP layer and is used for data transfer), the port cannot be reused immediately after each connection. Therefore, the port range should not be too narrow, otherwise you will not be able to transfer many small files. In most cases, a range of 50 ports is sufficient.

Problem solving

Unfortunately, many personal firewalls and custom routers have their own shortcomings or, in some cases, are even capable of sabotaging FTP (for example, SMC Barricade v1.2).

First of all, use the latest stable versions of software, including firewall and router firmware.

If this doesn't help, you have the option to try delete your firewall to analyze the situation. Simply disabling the firewall does not always help, because... Some firewalls cannot be completely disabled.

If possible, try connecting to the Internet directly without a router.

If you are trying to set up a server and it works fine inside your local network, but is not accessible outside it, try changing the connection port. Some providers do not allow their clients to host servers and block ports below 1024.

Another possible issue could be that your FTP server is using the default port 21. There may be a firewall on your ISP's side that may unexpectedly change the port for the PASV command. Try using a different port than the default port for your FTP server.

If from time to time you see the message “cannot open data connection”, i.e. The FTP client is able to easily connect to the FTP server a sufficient number of times until you receive this message, a possible obstacle could be the antivirus on the client PC, configured to block outgoing connections on a certain range of ports. When the server is running in passive mode, the client's outgoing ports are determined randomly, and if you select ports that fall within the blocked range, you will receive an error message. For an accurate diagnosis, you should look at the antivirus logs on the client’s machine that receives this error. In general, any software that can block a range of outgoing ports can cause these types of problems.

Timeouts when transferring large files

If the transfer of small files occurs without problems, but the download of large files is terminated by a timeout, the reason for this is an incorrectly configured router and/or firewall located between the client and server.

As mentioned above, FTP uses two TCP connections: a control connection for sending commands and receiving responses to commands, and a data connection. Due to the operating principle of FTP, the control connection is not used during file transfer.

The TCP specification does not specify a time limit for storing an idle connection. The connection is expected to persist indefinitely until it is explicitly closed. However, most routers and firewalls automatically close idle connections after a period of time. Moreover, in most cases, a connection is terminated without notification to its participants. In the case of continuous data transfer via FTP, this means that the control connection may be broken, but neither the client nor the server will be notified about this. Thus, after all the data has been transferred, the server still expects that the control connection can be used and sends a transfer confirmation to the client through it. Likewise, the client is ready to use the control connection and is waiting for a response from the server. But, because the control connection was closed, this response will never be delivered, resulting in a timeout.

To solve this problem, the TCP specification provides a way to send packets to maintain an unused connection, informing participants that the connection should be saved for future use. However, the TCP specification explicitly states that such packets can be transmitted no more than once every two hours. To do this, taking into account network delays, the lifetime of an unused connection is set by the specification at 2 hours and 4 minutes.

The obstacle to this is that many routers and firewalls disconnect connections that have not been used for less than 2 and 4 minutes. This behavior violates the TCP protocol specification; RFC 5382 states this quite clearly. In other words, routers and firewalls that terminate the connection before the required moment cannot be considered working, because they cannot be used for long-term data transfers via FTP. Unfortunately, consumer router manufacturers and firewall vendors don't care about meeting specifications.

To solve this problem, you need to remove such firewalls and replace the malfunctioning router with a high-quality one.

Setting up a FileZilla server under Windows Firewall

If you experience problems setting up a FileZilla server while Windows Firewall is running (especially if a client connecting to such a server receives the error message "Unable to obtain directory listing"), you need to add the FileZilla server to the Windows Firewall exceptions list. To do this you need to do the following steps:

  • Open Windows Firewall from Control Panel
  • If you're using Vista, click "Change Settings"
  • Select the "Exceptions" tab
  • Click "Add a program.."
  • DO NOT select "FileZilla Server Interface" from the list, you need to click on "View..."
  • Find the FileZilla server installation directory (usually "C:\Program Files\FileZilla Server\")
  • Select "FileZilla server.exe" and click open (again, DO NOT SELECT "FileZilla Server Interface.exe")
  • Select "FileZilla server.exe" from the list and click "Ok"
  • Make sure that "FileZilla server.exe" is in the exceptions list and check the appropriate box
  • Click "Ok" to close the window

This ensures the passive mode works. If after this you still experience connection problems (inside or outside the network), check your router settings or try adding a port number in the Windows Firewall settings in the "Exceptions" tab.

Refer to Microsoft article 931130 KB describing how FileZilla works with Routing and Remote Access or Application Level Gateway enabled.