Required FTP ports

Hey,
I have a quick question. For a temporary firewall I just want to use TCP/IP filtering. I blocked all ports but TCP 80, 20, and 21. The http web hosting works fine but when I try to connect to the ftp it will not allow me. Are there any UDP, IP or other TCP ports I need to allow to let the ftp server work?

Thanks for the help.

Update:
The required port I am looking for allows local connections. It will allow people to connect outside of the network but not internally. Thanks.

You should be able to connect via FTP if port 21 is open.

We should but for some reason that's not the case. The server log has us connected and disconnects after a timeout. So that means TCP/IP filtering is blocking outgoing traffic on some other port, right?

Thanks for the help.

If you are connecting to a passive ftp server then you will need to allow the internal boxes to connect to that ftp server on the random ports. passive ftp servers have the users make the data connection on random ports instead of the standard ftp server making the connection to the client on ports 20 and 21 this is to allow the firewalls to not allow connections from outside in but allows the client to make the connection and the firewall allow only the responses in that is why standard ip based firewalls suxxors and you will never get this to work without a layer 4 firewall. if the ftp server is an active server apposed to a passive turn off passive mode on the client it will then use 20 and 21.

avtive and passive ftp servers

if you are using IIS FTP server it is passive and there is a reg hack to force it to use certain ports so you can open the firewall for them.

Thanks Juniperr, that's exactly it. I disabled "use passive" in internet explorer and it worked fine. How do big web servers secure passive ftp ports? What are the drawbacks to active?

Thanks again for the help.

The biggest problem with active FTP is that lets say I am hosting an FTP server that is active only and you are at work and want to download using ftp from my ftp server, in order for you to get there your admin would have to allow ports 20 and 21 in and out as well in active mode the server is the one to make the connection to the client which posses a security problem as you dont ever want someone outside your network to be able to start a session into your network. Any good firewall today is connection aware it will allow nothing in except responses (it does this by looking at the TCP connection info or by timers for UDP since it is not connection oriented) so passive mode FTP was adopted this basicly works by the server telling the client to start a new data session on a random port (which a range can be specified) the ftp server will open and listen on that port and the client will then initiate the session so the firewall is not an issue anymore. In my network I use FTP over SSL in passive mode I configured my server to only tell clients to use certain ports then I open my firewall to accomidate these ports only, connections are not able to be made on these ports unless the server told the client to use them and it starts listening on them then they shut back down when the session is over.

Thanks for the article link juniperr

Nice simple article that can explain it way better then I ever could LOL! your welcome.

Thanks for the help. I'm not going to ask you to tell me how, but do you know where I can find out how to set my server up like that? Right now I am just using IPSec, so the ports are either open or closed. Thanks again for all the help juniperr. This forum has been the most helpful.

Just like most of microsofts products they work but not very well LOL! go here and get a real FTP server if you would like to have FTP over SSL or a FTP server that is very flexible and easy to manage..

http://www.g6ftpserver.com/

Thanks, juniperr. I like how their site looks strangly similar to Microsoft's.