Firewall/Port problem

[EphemeralAttention]

I have setup a filezilla ftp server with these ports:

"Connection Settings"
Listen on these ports: 1983

"SSL/TLS Settings"
SSL/TLS connections: 1985

If I create a rule in my firewall to allow everything, it works fine. I don't want this though.

Could somebody tell me which ports I need to open in order to use this ftps:// server?

I have tried allowing 1982 - 1985 (inclusive) but this doesn't work. I end up with the following error when trying to connect from a remote client:

Code: Select all

Status:	Server sent passive reply with unroutable address. Using server address instead.
Error:	Failed to retrieve directory listing

I indeed unable to see the contents of the directory and if I try to transfer a file, I get:

Code: Select all

Status:	Server sent passive reply with unroutable address. Using server address instead.

which does not end up working.

The server sees the attempted file transfer but is unable to receive the file:

Code: Select all

(000003)10/24/2011 23:31:10 PM - username(xx.xx.xx.xxx)> 425 Can't open data connection.

Which other ports do I need to allow access to?

[boco]

As the Network Configuration explains, you need a port range for Passive mode. Furthermore, the server must know your current external IP.

Code: Select all

Listen on these ports: 1983

This port is used for plain FTP and explicit FTP over TLS (FTPES). Note that only the initial connection uses this port.

Code: Select all

SSL/TLS connections: 1985

That one is for implicit FTP over TLS (FTPS). Again, only the initial connection uses this.

Could somebody tell me which ports I need to open in order to use this ftps:// server?

Both listening ports plus your defined Passive port range (aka Custom port range in FZ Server). The recommended size of the Passive port range is at least 50 ports. All ports must be forwarded in the router as well. And don't forget to tell FZ Server your external IP.

[EphemeralAttention]

Thanks for the document. I have limited the range to 1982-1984 and it's working now.
I also added my static external IP.

[boco]

Range is too narrow, you might run out of ports fast.

[EphemeralAttention]

But I only intend to have 1 user connect at a time. 1 user, 1 session.

Or do I need to read up more about this (as in, I'm miss-understanding)?

[boco]

-Every listing or transfer (actually, a listing is a transfer) needs one data port.
-Ports are used sequentially, and after the last one has been used, it wraps around to the first one again.
-A port, once used, stays in a TIME_WAIT state for about four minutes. During that time, it is unavailable.

For the above reasons, even one user can exhaust a port range quickly.