Allow Passive FTP connections

Allow Passive FTP connections through your servers firewall (Windows and Linux)

Passive FTP is a method used to connect to your FTP server to upload/modify and download files from directories your user has access to.

The most common type is passive FTP

Sometimes when a new server is deployed, or on a server restart, passive FTP will start to fail. You can recognize a connection failure as a passive FTP issue by the connection string you'll see when you try and connect.  The last message would be something like:

    "Retrieving directory listing"

This will occur on both windows and linux systems as the message should occur on the client side



Adding passive FTP support to iptables is very easy. Type the following:

first to add support on the currently running system

    sudo modprobe ip_nat_ftp sudo modprobe ip_conntrack_ftp

This will add support on the running iptables

Next modify the file

    sudo vi /etc/modules (/etc/modprob.conf for redhat/centos)

and add the following 2 lines to the bottom

    ip_nat_ftp ip_conntrack_ftp

This will load it on the next reboot. Passive FTP should now work.


To add a range of ports to IIS FTP do the following

open a command prompt with administrative privileges (right click on it and select run as administrator) and go to the folder c:\Inetpub\AdminScripts

Once in the folder run:

adsutil.vbs set /MSFTPSVC/ PassivePortRange “5500-5700”

Were 5500-5700 is replaced by the port range you wish to add.

You will then get 3 messages if you have never done this before. Say “yes” or “ok” to all of them.

Once done, you will now need to add that range of ports to the windows firewall, type the following

FOR /L %I IN (5500,1,5700) DO netsh firewall add portopening TCP %I "Passive FTP"%I

Note: Replace 5500-5700 with a range of ports you want to use for Passive FTP connections

Was this article helpful?
0 out of 1 found this helpful

Have more questions? Contact our support instantly via Live Chat