# Ports for FTPS (over SSL)



## ccc (Oct 17, 2012)

hi

What ports we need to open at the firewall for *FTPS over SSL* server?


----------



## Crest (Oct 17, 2012)

This depends on your mode (active or passive) and and few other factors. FTP itself is bad enough for any NAPT implementation, but it can be made to work trough NAPT with proxies. The proxy has to sniff the FTP command connection. FTP + SSL encrypts to command connection with SSL. This in turn requires the proxy to perform a man in the middle attack on the SSL handshake. This can be done if you have access to the servers private key or the CA that issued it. Have fun implementing this. If you just want to narrow the ports down on the server: forget it FTP is more secure with more ports to choose from as crazy as it may sound.


----------



## mamalos (Oct 18, 2012)

Can't someone configure their ftp server to use a specific UDP port range (if set to passive) and allow this range of ports to be accessible for this purpose?


----------



## ccc (Oct 18, 2012)

mamalos said:
			
		

> can't someone configure their ftp server to use a specific udp port range (if set to passive) and allow this range of ports to be accessible for this purpose?



udp by ftp?


----------



## usdmatt (Oct 18, 2012)

The wiki page for FTP over SSL suggests that it works just like normal FTP so for passive FTP you'll need port 21 inbound as well as the passive range (which are TCP not UDP).

Some FTP servers allow you to set the passive range so you can choose this range and only open the relevant ports on the firewall. The default FreeBSD server doesn't, it uses the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls, so that's the range you'd need open. You can change these values but I'd be wary of changing them too much as I have no idea what or how many services rely on using the ports specified here.

If you want secure FTP it's also worth looking at sftp using SSH. It will only need SSH open (if you're happy doing that) and on a standard FreeBSD install only needs a few tweaks to /etc/ssh/sshd_config (and maybe an 'sftp' group to put the users into).


----------



## ccc (Oct 18, 2012)

Here are good explanations:

http://www.rebex.net/kb/secure-ftp/default.aspx

http://www.ipv4security.com/packet_flow/ftp_over_ssl.html


----------



## mamalos (Oct 18, 2012)

Yep, you're both right, sorry for the UDP part.


----------

