5

I've set up a self signed certificate in FileZilla server and enabled FTP over SSL/TPS. When I connect from the client FileZilla, I am able to authenticate but cannot get a directory listing:

Status: Connecting to MY_SERVER_IP:21...
Status: Connection established, waiting for welcome message...
Response:   220-FileZilla Server version 0.9.39 beta
Response:   220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:   220 Please visit http://sourceforge.net/projects/filezilla/
Command:    AUTH TLS
Response:   234 Using authentication type TLS
Status: Initializing TLS...
Status: Verifying certificate...
Command:    USER MYUSER
Status: TLS/SSL connection established.
Response:   331 Password required for MYUSER
Command:    PASS ********
Response:   230 Logged on
Command:    PBSZ 0
Response:   200 PBSZ=0
Command:    PROT P
Response:   200 Protection level set to P
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I
Command:    PORT 10,10,25,85,219,172
Response:   200 Port command successful
Command:    MLSD
Response:   150 Opening data channel for directory list.
Response:   425 Can't open data connection.
Error:  Failed to retrieve directory listing

I have ports 21 and 50001 through 50005 open on the firewall. We are migrating servers - the 50001 - 50005 is one of the things that helped get FTPS working on the old server. I'm not sure this installation would use the same ports? What else could be the problem?

sestocker
  • 161
  • 2
  • 3
  • 7

5 Answers5

1

You are on the right track with the needed additional ports. You might check the local firewall settings on the server as well.

user48838
  • 7,393
  • 2
  • 17
  • 14
1

Try to disable Stateful FTP rules on the Windows Firewall. Open Command Line Prompt and type this line (without the quotes):

"netsh advfirewall set global StatefulFTP disable"

The problem is the Windows Firewall I have seen this problem with FTP and FTPS.

John Tkaczewski
  • 110
  • 1
  • 6
  • I think too Windows Firewall is the problem! He is right. Try disabling it, I had same issue with CSF on linux. – Luka Mar 14 '13 at 03:41
0

I had this problem with FileZilla Server as well. Assuming you have set both the client and the server to use passive mode already...

Check that Windows Firewall isn't blocking ports 50001-50005. I had created exceptions within it for the FileZilla application, but it didn't clear the passive ports. I just created an exception for the range I opened, and problem solved.

minamhere
  • 859
  • 7
  • 18
0

I ran into this on my Cisco ASA recently...I had to open ports 49152-65535 to the host serving up FTP behind the firewall, in addition to port 21. Originally, I had configured the server side to use a limited port range and opened those on the ASA and made sure the windows firewall was open as well. When using the FTP over TLS / implicit or explicit options in the Filezilla client, it would not honor the port negotiation from the server that was limited to specific ports. Nothing worked - in looking at the debug logs on the asa, the filezilla client was not negotiating the limited port range - it would try to open the data connection outside of the range, which the ASA restricted.

Also note that FTP inspection will NOT work when using encrypted channels so the firewall was not able to 'fixup' the FTP protocol as it can do when using plain text. Do not use plain text FTP as it's all in the clear (including password). It should never be used on the internet for anything important.

I am using IIS 7.5 FTP server with TLS certificate for security. Once the additional ports were opened (49152-65535), Filezilla client worked like a charm. I'm not one to open ports like this, but there's not much choice if this is the way you are going. The good news is there's nothing listening on these ports on the server side - so it's mostly harmless from a security standpoint. These ports only are opened when a client connects and terminate when disconnected.

Hope that helps!!! I've spent a few hours of my life debugging this - time that I can't get back. Hopefully your journey is smoother.

James
  • 136
  • 2
0

You need a port for FTP & a port for the control channel [so you can get directory listings]. Banged my head against the wall all day on this.

Create an endpoint in Azure for FTP, TCP Port 21. public/private

Create an endpoint in Azure for FZServer, TCP port 6000. public/private

On the FileZilla server software, click "passive mode", and set the port range to "use custom port range" 6000-6000, and set the "retrieve external ip from... http://ip.filezilla-project...."

And select "don't use external ip for local connections.

then run FW.msc on the Azure VM, create a firewall rule for port 21 any any, and create one for the application "FileZilla Server.exe" [as opposed to "interface.exe"], and open port 6,000.

Works like a charm!

tripwire
  • 1