|
|
You're in the
iis ftp
group:problems using different different FTP port with windows firewall
iis ftp:
I need to run 2 ftp sites on the same server (windows server 2003). I've got the first one using port 21, but need the second ftp site to use a different port I think (unless there's a way to get 2 ftp sites working on port 21? binding?). so, for my second ftp site I am using port 8001. it works ok with my ftp client with the windows firewall off, but when I turn it on and add port 8001 to it my ftp client doesn't want to connect any more. I've noticed that my ftp client is actually connecting using port 8001 but then switches to an arbiutary port number afterwards when finishing the connection. This port number changes each time, so it's impossible to add it to the windows firewall! I think this is the problem. the windows firewall doesn't support port ranges either (to my knowledge?) so even if I knew a range I couldn't add it to the firewall. Any help anyone could offer would be greatly appreciated. Many thanks
In message
<1fb53f44-5f2a-4f01-a044-a4165bb9d64e@i12g2000prf.googlegroups.com> [quoted text, click to view] at 08:08:59 on Thu, 3 Jan 2008, Paul <turnerpaul@gmail.com> wrote Which FTP client? I had to make changes to mine when I moved to a >so, for my second ftp site I am using port 8001. it works ok with my >ftp client with the windows firewall off, but when I turn it on and >add port 8001 to it my ftp client doesn't want to connect any more. > different firewall suite --
[quoted text, click to view] > Why 8001? I don't you limit the number in the interval 0-1023? How would I do that? Sorry, I am an FTP newbie! I googled already and looked at all the official ports, and there's not one that I could that would be best to use as an alternative ftp port.
Why 8001? I don't you limit the number in the interval 0-1023?
8001 is a registered port. Because of standardization it is possible that you firewall to not operate with the upper range ports. There is a site that best describes every port ... Google it [quoted text, click to view] "Paul" <turnerpaul@gmail.com> wrote in message
news:1fb53f44-5f2a-4f01-a044-a4165bb9d64e@i12g2000prf.googlegroups.com... > Hi all. It would be fab if you could help me please! > > I need to run 2 ftp sites on the same server (windows server 2003). > I've got the first one using port 21, but need the second ftp site to > use a different port I think (unless there's a way to get 2 ftp sites > working on port 21? binding?). > > so, for my second ftp site I am using port 8001. it works ok with my > ftp client with the windows firewall off, but when I turn it on and > add port 8001 to it my ftp client doesn't want to connect any more. > > I've noticed that my ftp client is actually connecting using port 8001 > but then switches to an arbiutary port number afterwards when > finishing the connection. This port number changes each time, so it's > impossible to add it to the windows firewall! I think this is the > problem. the windows firewall doesn't support port ranges either (to > my knowledge?) so even if I knew a range I couldn't add it to the > firewall. > > Any help anyone could offer would be greatly appreciated. Many thanks > > Paul
Port Designations
TCP/IP has 65,536 ports available. As you can imagine, some ports are used much more than others. Ports are divided into three main groups or designations as follows: Well-known ports These port numbers range from 0 to 1,023. These are the most commonly used ports that have been used for the longest period of time. Registered ports These port numbers range from 1,024 to 49,151. Registered ports are used by applications or services that need to have consistent port assignments. These ports, like the well-known ports, are agreed upon by most organizations for standardization of use. Dynamic or private ports These port addresses range from 49,152 to 65,535. These ports are not assigned to any particular protocol or service and can therefore be used for any service or application. It is common for applications to establish a connection on a well-known port and then move to a dynamic port for the rest of the conversation. It's important that you understand port numbers, because you may be configuring them for communication purposes as well as to provide filtering and therefore prevent communication of specified applications or services. Use the upper ports (>49.152) Let me know if this solved your problem ... [quoted text, click to view] "Paul" <turnerpaul@gmail.com> wrote in message
news:35dfe6b2-4ca6-4e0e-895b-ce944affb918@i7g2000prf.googlegroups.com... > >> Why 8001? I don't you limit the number in the interval 0-1023? > > How would I do that? Sorry, I am an FTP newbie! > I googled already and looked at all the official ports, and there's > not one that I could that would be best to use as an alternative ftp > port. >
I think you're all missing the point here, which is that FTP uses TWO ports,
control on a default of 21, and (active mode) data on a default of 20. The port 20 connection is outbound, hence needs no router mapping. However, you cannot have two concurrent services both 'owning' port 20 at the same time, hence your problem. In most cases the data default cannot be changed. A workaround however is to use passive mode, which will allow you to set a range of high-order ports for data, in the FTP server settings. These ports must also be mapped on the router, of course, as they are inbound connections. Either that, or use an SFTP server such as Filezilla Server. BTW, 'registered ports' don't stand for much as far as private users are concerned. They are more of a concern for app-developers who want to ensure their app doesn't clash with others on the same computer.
In message
<35dfe6b2-4ca6-4e0e-895b-ce944affb918@i7g2000prf.googlegroups.com> [quoted text, click to view] at 01:25:11 on Fri, 4 Jan 2008, Paul <turnerpaul@gmail.com> wrote Which FTP client are you using?> >> Why 8001? I don't you limit the number in the interval 0-1023? > >How would I do that? Sorry, I am an FTP newbie! >I googled already and looked at all the official ports, and there's >not one that I could that would be best to use as an alternative ftp >port. > --
[quoted text, click to view]
"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message news:78FBFA40-08F1-4982-A9A0-81C59AC1E312@microsoft.com... > I think you're all missing the point here, which is that FTP uses TWO > ports, > control on a default of 21, and (active mode) data on a default of 20. > > The port 20 connection is outbound, hence needs no router mapping. > However, > you cannot have two concurrent services both 'owning' port 20 at the same > time, hence your problem. It would be a very broken FTP server that bound its control channel to 8001 and its local end of active data channels to port 20. IIS doesn't do that. IIS does what the RFCs say it should do - if the control channel is 8001, then the local end of any active data channel is port 8000. Now, it's possible that something else is already bound to port 8000, which could cause a problem. More likely, the problem is due to a NAT router not recognising that it needs to translate the IP address or port assignment given in the PORT command. Try running "ftp -d servername" from the command line, and watch the commands going out - you'll see that the PORT command just prior to a data transfer or file listing uses a local IP address. If the client is behind a NAT, that NAT needs to be able to translate the PORT commands - and it can only do that, if it knows that the traffic is FTP. It does this through a software component called an "Application Layer Gateway" (ALG). The ALG in most NATs is only sophisticated enough to monitor and modify FTP control traffic on port 21. [quoted text, click to view] > In most cases the data default cannot be changed. A workaround however is > to > use passive mode, which will allow you to set a range of high-order ports > for > data, in the FTP server settings. These ports must also be mapped on the > router, of course, as they are inbound connections. You are right that passive mode would help - so would the use of the EPRT command, or even IPv6, where you don't hide behind a NAT :) Passive mode is most likely the most usable solution, as long as the FTP server is not behind a NAT. [quoted text, click to view] > Either that, or use an SFTP server such as Filezilla Server. While we're talking about replacing the whole paradigm... If you switch to SFTP (which is not related to FTP), you will have to get all your users to switch to an SFTP client. [quoted text, click to view] > BTW, 'registered ports' don't stand for much as far as private users are > concerned. They are more of a concern for app-developers who want to > ensure > their app doesn't clash with others on the same computer. Sure they stand for something - a registered port is one less piece of configuration information for a user to have to enter into their client app. Alun. ~~~~
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |