Hello! The sticky (above) provides good general information on client side firewall exceptions pertaining to outbound ports. To carry the discussion a bit further, I have noted some challenges with the hardware-based firewall in my DSL modem/router that will allow successful login and PASV mode negotiation, but reject the connection when a second (data) connection is attempted.
This problem is essentially also a matter of opening the correct outbound port. (Turning off the hardware firewall allows a successful connection, BTW). A more secure way to do it is to leave the firewall on and use the port forwarding feature.
Normally, the next step is to check with your secure FTP server admin to determine range of ports that may be used by the server for PASV mode data connections, and use that information to forward this range of ports if they arrive from that server's address. Typical:
[Port range to forward] if arriving from [this server's IP]
My specific DSL modem (Actiontech GT701) also requests a client-side port number or port range which is another unknown. Admittedly, the setup of port forwarding may be due to an "unintelligent firewall", but I expect a number of users are encountering a similar difficulty. Typical:
[Client side Data connection port range] outgoing from [client computer's IP address]
Note the client computer's address will be the LAN address it uses to link to the modem/router.
One way would be to open all client origination ports. A more secure way would be to know the expected range of origination ports that might be used by the CoreFTP program. Thus my question to the moderators...
What are the expected origination ports for the secure data connection?
Empirically, I have observed data origination ports both in the 1200-1300 range, sometimes in the 1600-1800 range. It is always different. Is there any way to know more specifically what port range to expect? Is this a non-issue with respect to maintaining a modest level of security?
Thank You!
GreyFox