Filezilla FTP with Google Cloud compute engine Windows virtual instance not listing directory

Question

I have a Windows 2016 VM instance in Google cloud. I have added an inbound Windows firewall rule to allow port 21. I have configured Google cloud with both inbound firewall rules for port 21 as well as outbound for all ports for passive.

I am able to connect to my FTP server, but I am receiving this error.

Response:   425 Can't open data connection for transfer of "/"
Error:  Failed to retrieve directory listing

Note that I also have enabled TLS in filezilla, but with or without TLS enabled, I received the same error.

I have tried completely disabling the Windows firewall with no luck, so either my gcloud firewall settings are wrong, or my filezilla configuration is wrong.

Any help would be appreciated!

Answer 1

If you want to work using TLS you might need to open port 990 and even port 989. Another option to encrypt your data would be to use SFTP. There is a nice guide to configure Filezilla on GCE using SFTP here

Answer 2

If disabling TLS worked, it's a clear indication of not configured or misconfigured firewall. Even if you claim that you disabled all firewalls, you seem not to actually.

Some firewalls are smart enough to inspect FTP traffic, opening the FTP data connection ports as needed. But if the control connection is encrypted, the firewall cannot inspect it and cannot open the data connection ports for you. So with TLS, you have to configure the rules yourself.

For example in Windows firewall the feature is called "stateful FTP filtering" and is configured using netsh advfirewall set global StatefulFtp ... command.

Answer 3

TO BE SHORT

You do not need to configure outbound rules in Google Cloud. In your case except port 21 you need to add additional ports, for example 50000-50500 to Google Cloud Firewall (to add to the same rule where port 21 specified), then inWindows Firewall (to add to the same rule where port 21 specified) and add 50000-50500 to FileZilla Settings at the page Passive mode settings

TO BE LONG

Below is full instruction (in case if anyone need) based on Sever 2008, because I do not use Server 2016 (everything should be very similar). Also I did not use TLS as I do not need it. Settings below allowsFTP clients to work via Passive mode.

---

Google Cloud Settings

1. Go to VPC network -> Firewall rules;
2. Click Create firewall rule at the top;
   • Name: default-allow-ftp (does not matter);
   • Network: default (or the one you need);
   • Priority: 1000 (does not matter);
   • Direction of traffic: Ingress;
   • Action on match: Allow Target tags: Leave empty (or select the one you need);
   • Source IP ranges: 0.0.0.0/0 (or the one you need);
   • Second source filter: None (or the one you need);
   • Protocols and ports: Specified protocols and ports: tcp:21,50000-50500.

---

Windows Firewall Settings (taken from here. The source also shows how to setup Firewall using Command Line and PowerShell):

1. Login using an administrator account;
2. Click Start -> Administrative Tools -> Windows Firewall with Advanced Security;
3. In the left panel, Right Mouse Click on Inbound Rules, and then click on New Rule;
4. In the Rule Type section, select Port and click Next:
5. In the Protocol and Ports section, select TCP as the type of protocol and type 21, 50000-50500 in the Specific local ports input field;
6. In the Action section, select Allow the Connection and click Next;
7. In the Profile section, select all three options and click Next. If you wish to limit the connection to a particular profile, you can do so by selecting only the profiles you think are appropriate to your setup. For this example, we will open the port on all profiles;
8. In the Name section, enter a descriptive name for this rule. It is recommended to list the port number in the name, so the rule is easily recognizable. Click Finish when ready.

---

FileZilla Settings

1. Edit -> Settings;
2. In the tree select General setting;
   • Change field Listen on these ports: to 21;

3. In the tree select Passive mode settings;

   • Tick Use custom port range:, enter 5000 and 50500;
   • Select Use the following IP and enter your server IP (in case if it is static) or select Retrieve external IP address from:;

4. Edit -> Users;

5. In the tree select General;
   • On the right side click Add and provide username which you are going to use for connection. The username does not have any relation to Windows user accounts, as FileZilla use its own user account system;
   • Tick Enable account, and, if needed, Password;
6. In the tree select Shared folder;
   • Add a folder you would like to make as a 'home dir' and define necessary permissions for Files and Directories.

NOTES:

1. FileZilla's permissions does not have any relation to Windows permission settings for your 'home dir' folder. It means if FileZilla's settings allows user to create folder\file, but permissions configured via Windows File Explorer does not allow to do it, than user can not write any files\folders in a 'home dir'.

2. For Windows, users which are added to FileZilla, they are something like 'unknown', so Windows wont allow any access to 'home dir' folder at all. In order to fix it, I simply added All profile in the security settings of 'home dir' folder.

---

Bonus #1

If every boot up FileZilla interface appears, you can disable such behavior via msconfig:

1. Start -> type msconfig;
2. Startup tab -> Untick FileZilla Server -> Ok;
3. Reboot.

Bonus #2

If linux users want to download file from ftp server using command line:

wget ftp://username:password@server_ip_address/home_dir/file_name