PASV Data Ports

Home Forums General Firewall Help PASV Data Ports

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #27966

    My FTP Server should run behind a firewall. Most clients request PASV mode. Is there any way to specify that only a given range of ports should be used by the server for data connections so I can allow the same range through my firewall ?


    Yes, there is. Open the ‘Server Manager’ and select the ‘Advanced’ page.


    also, what is the minimum number of ports i can use for pasv? is there a way i can only use a few for passive instead of the suggested range of 1040 to 3500. im just worried that ill get hacked :(

    edit: just found out, the anser is probably not if you want it to run stable.



    One of the problems with using only a few ports for PASV mode is that TCP/IP imposes a mandatory delay before a socket can be reused. For each FTP command that uses a data connection (LIST, RETR, STOR, ect…), one local/remote port combination is used, and that same port cannot be used again before a certain amount of time has elapsed. This delay is usually several minutes. If you only allow a few ports, lets say 10, to remain open, it’s not unlikely that you will exhaust those 10 ports and begin to reuse those ports again before TCP/IP releases the socket. If you attempt to resuse a socket before the delay has expired, the connection will fail.

    I would recommend at least 100 ports for a server expecting just a few client connections. Significantly more ports for higher traffic sites. Of course, this is only an issue if the client is using PASV mode to connect.

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart