# Connections from Windows Client to FTP server with Proftp



## Orige (Jan 4, 2011)

Well,

I have a Ftp server with Proftpd in a Firewall server with PF.
Connections from Windows with Windows Explorer or Browser works 
but connections from Command Line (DOS) not.

The port connection of FTP Server is 2121.
My pf rules:


```
pass in quick on { $ext_if , $int_if } inet proto tcp from any to any port 2121 keep state
```

Passive ports of FTP server: 60000 >< 65535

```
pass in quick on { $ext_if , $int_if } inet proto tcp from any to any port 60000 >< 65535 keep state
```

Some commands works and other not.

Here, commands what I try with Windows command line client:


```
ftp> ls
425 Unable to build data connection: Connection refused
ftp> cd teste
250 CWD command successful
ftp> mkdir opa
257 "/teste/opa" - Directory successfully created
ftp> ls
425 Unable to build data connection: Connection refused
```

From command line of Freebsd or Linux systems, the commands works.

Are there any other ports what I can try open?


ps: The firewall of Windows Clients is disabled.
ps2: I tried to connect in other FTP Server with Windows command line client and works fine.

ps3: Sorry for my english.

Thanks !!


----------



## SirDice (Jan 4, 2011)

Orige said:
			
		

> I have a Ftp server with Proftpd in a Firewall server with PF.
> Connections from Windows with Windows Explorer or Browser works
> but connections from Command Line (DOS) not.


Both the browser and Explorer use passive FTP where as the commandline client always uses active FTP.

With active FTP the server will open a connection _to_ the client on a random port also picked by the client. With passive FTP the client makes this connection to the server on a random port picked by the server. The biggest difference is who initiates the data connection.

Active FTP vs. Passive FTP, a Definitive Explanation

PF: Issues with FTP


----------



## Orige (Jan 5, 2011)

Ok. Great explanation about Active and Passive Ports in Ftp.
Now I understand.
So, translanting this:



> From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
> 
> * FTP server's port 21 from anywhere (Client initiates connection)
> * FTP server's port 21 to ports > 1023 (Server responds to client's control port)
> ...



for pf rules, would be like:


```
pass quick on { $ext_if , $int_if } inet proto tcp from any to any port 2121 keep state
pass quick on { $ext_if , $int_if } inet proto tcp from any port 20 to any port > 1023 keep state
pass quick on { $ext_if , $int_if } inet proto tcp from any port 2121 to any port > 1023 keep state
```

??

My conections with other ftp servers works fine. I don't need configure ftpproxy for this.

Thanks !!


----------

