Problem solve Get help with specific problems with your technologies, process and projects.

FTP filtering working too well!!

Here is my question. I created packet filtering on my NIC to open only 7 ports, using windows 2000 server. The problem is that no one in the company is able to communicate with the FTP site or our FTP server from home. I opened the necessary ports for FTP, which are 21 and 20, but I still get this error when I get to FTP sites:

Extended Server Error Message:
200 Type set to I.
200 PORT command successful.
425 Can't build data connection: Connection refused

When I remove the packet filtering option, it works fine. What am I missing here!?!
When you establish a connection to an FTP server the actual port numbers used vary a great deal. There are two types of FTP connection and they are described below:

Active FTP Operation

The active mode of operation is less secure than the passive mode. This mode of operation complicates the construction of firewalls, because the firewall must anticipate the connection from the FTP server back to the client program. The steps of this mode of operation are discussed below:

  • The client opens a control channel (port 21) to the server and tells the server the port number to respond on. This port number is a randomly determined port greater than 1023.
  • The server receives this information and sends the client an acknowledgement "OK" (ack). The client and server exchange commands on this control connection.
  • When the user requests a directory listing or initiates the sending or receiving of a file, the client software sends a "PORT" command that includes a port number > 1023 that the client wishes the server to use for the data connection.
  • The server then opens a data connection from port 20 to the client's port number, as provided to it in the "PORT" command.

Passive FTP Operation

This mode of operation is assumed to be more secure because all the connections are being initiated from the client, so there is less chance that the connection will be compromised. The reason it is called passive is that the server performs a "passive open." The steps of this mode of operation are discussed below:

  • In passive FTP, the client opens a control connection on port 21 to the server, and then requests passive mode through the use of the "PASV" command.
  • The server agrees to this mode, and then selects a random port number (>1023). It supplies this port number to the client for data transfer.
  • The client receives this information and opens a data channel to the server assigned port.
  • The server receives the data and sends an "OK" (ack).


Active mode is the most common and you should use that. Otherwise clients will typically have to select passive mode manually in their FTP clients.

You will need to allow connections that originate from the server on ports larger than 1024 (the dynamic ports for TCP/IP) to be allowed out. Note that for security, do not allow the reverse.

This was last published in June 2001

Dig Deeper on Network Infrastructure

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.