Passive FTP Firewall

Passive FTP is a FTP mode that alleviates the issues with client firewalls. The client initiates a call to the server. The return traffic is allowed as long as the client has initiated it. In addition, the server sends a port command along with an ephemeral port that the client can connect to. The client initiates a call on that ephemeral port, and the connection is then established.

Egress port 21 and ephemeral ports 1024-65535 needs to be opened from the client side.

# From the client side, egress port 21 must be open.
# From the client side, ephemeral ports from port 1024 to 165535 must be open.

Testing a Network Port Connection

You can test a network port connection using the “nc” command on Linux and “telnet” on Windows.

$ nc -zv port
C:\> telnet port

$ nc -zv 80
Connection to 80 port [tcp/http] succeeded!
C:\> telnet -zv 80
Connecting To not open connection to the host, on port 80: Connect failed

For Telnet, if a connection is successful, it returns no message.