My FTP Server should run behind a firewall. Most clients request PASV mode. Is there any way to specify that only a given range of ports should be used by the server for data connections so I can allow the same range through my firewall ?
One of the problems with using only a few ports for PASV mode is that TCP/IP imposes a mandatory delay before a socket can be reused. For each FTP command that uses a data connection (LIST, RETR, STOR, ect…), one local/remote port combination is used, and that same port cannot be used again before a certain amount of time has elapsed. This delay is usually several minutes. If you only allow a few ports, lets say 10, to remain open, it’s not unlikely that you will exhaust those 10 ports and begin to reuse those ports again before TCP/IP releases the socket. If you attempt to resuse a socket before the delay has expired, the connection will fail.
I would recommend at least 100 ports for a server expecting just a few client connections. Significantly more ports for higher traffic sites. Of course, this is only an issue if the client is using PASV mode to connect.