How to use CompleteFTP with firewalls

Issue: using FTPS, clients can connect but transfers and directory listings hang and eventually timeout.

Firewalls block connections to networks (and thus servers) on certain port numbers, and can thus prevent client applications connecting.

If problems are being experienced connecting to CompleteFTP, the firewall is a good place to start looking.

HTTP and HTTPS rarely have firewall problems, while SFTP has fewer problems with firewalls than FTPS. All commands and transfers go through a single port (the default is port 22). As long as the firewall is permitting connections to port 22, SFTP should work correctly.

The situation is more complicated with FTP/FTPS, mainly because directory listings and file transfers are performed using separate socket connections on a different (and potentially random) port number to the standard port 21. Of course firewalls are designed to prevent connections on random port numbers, so listings and transfers can get blocked. This is not usually an issue for FTP, as firewalls can read FTP commands and dynamically open data ports. But for FTPS, commands are encrypted and so firewalls cannot open ports dynamically. Instead, a firewall rule must be set up permitting inbound connections to the server (for passive mode transfers, also known as PASV).

In passive mode, the FTP/FTPS client initiates all transfers, and the server returns an IP address and port number to connect to. This port number is either assigned by the server's operating system (if the defaults are used), or is used from a passive port range configured in the server. To set up a passive port range with CompleteFTP, see how to set a PASV port range. This port range should also be set in the firewall, permitting clients to connect in this range.

Often, the FTP server will be on a machine with only an internal IP address. As the IP address is returned to the client via the PASV command, this is problematic. The client requires an external IP address, and the firewall must be configured to reroute packets to this external IP address to the server machine. To set an external IP address with CompleteFTP, see how to set an external IP address.