Passive FTP Firewall

Passive FTP is a FTP mode that alleviates the issues with client firewalls. The client initiates a call to the server. The return traffic is allowed as long as the client has initiated it. In addition, the server sends a port command along with an ephemeral port that the client can connect to. The client initiates a call on that ephemeral port, and the connection is then established.

Egress port 21 and ephemeral ports 1024-65535 needs to be opened from the client side.

# From the client side, egress port 21 must be open.
tcp:21
# From the client side, ephemeral ports from port 1024 to 165535 must be open.
tcp:1024-165535

Testing a Network Port Connection

You can test a network port connection using the “nc” command on Linux and “telnet” on Windows.

Format:
$ nc -zv domain.com port
C:\> telnet domain.com port

$ nc -zv domain.com 80
Connection to domain.com 80 port [tcp/http] succeeded!
C:\> telnet -zv domain.com 80
Connecting To domain.com...Could not open connection to the host, on port 80: Connect failed

For Telnet, if a connection is successful, it returns no message.