Filezilla FTP Client and Server Config

Hello All,

I’ve been using Comodo firewall for quite a while now on my laptop and desktop (as I love free software) and it has worked quite well. I’m attempting to pay more attention now to application and global rules in Comodo.

I’ve been trying unsuccessfully for the past few days to install a Filezilla FTP server on my desktop and a Filezilla FTP client on my laptop to sync and share files.

Originally I had used the default rules for ‘FTP Client’ for both the server and client software, and after it didn’t work I did a few searches here and while I didn’t find any step by step tutorials, I found out why the ‘FTP Client’ default rules didn’t work. I’m attempting to set up a passive FTP server and a passive FTP client, as I will in the future look to open up my desktop to other users.

As I understand FTP in the passive mode, a client connects to a server on port 21, and the server gives the client a range of ports to connect to, other than 20 and 21, usually above 1056 (lets say 20 000 to 20 100). All transfers happen on that port range on the server.

In FTP active mode, a client connects to a server, and the client tells the server what port range to connect to where all the transfers would occur, lets say 30 000 to 30 100 on the client computer.

Keeping that in mind I created the following rules that I thought would work. I configured the FTP server to open up ports 60 000 to 60 100 for incoming from a client in passive mode, and in active mode I configured the FTP client to allow incoming transfers from a server on ports 50 000 to 50 100. Ideally I would like to configure both the client and server as passive.

For the Desktop/FTP Server these are the current rules:

[global] TCP Out any/any/20/any (so that active may work as a backup)
[global] TCP In any/any/any/FTP Server Passive Ports <= port set of {21, 60 000 - 60 100}

[application] TCP Out any/any/20/any (active)
[application] TCP In any/any/any/FTP Server Passive Ports

For the Laptop/FTP Client these are the current rules:

[global] TCP Out any/any/any/any (I should probably change this to only allow going out from port 20 or 21 right?)

[application] TCP Out any/any/any/any (passive)
[application] TCP In any/any/20/ 50 000 - 50 100

I am not concerned with the security (or vulnerability) that exists with FTP as I’m using FTP over Hamachi, with the Filezilla server being bound to the Hamachi address only.

While attempting to connect from the client, Filezilla gives me this error:

Error: Could not connect to server

and then it waits and tries to connect again.

I set the application rules that I allowed to be flagged by the ‘Firewall Events’ viewer, and each time I attempt to connect I get my machine connecting on a random port to the FTP server with a destination port of 21, but no other rules that I have set to be flagged if allowed pop up.

In short, what am I doing wrong? It has to be something with the rules (be they application or global) but I’m just not seeing it. Sorry for the long post, I wanted to be as detailed as possible.

I guess I am a little confused by your discussion-I don’t use the Filezilla server or FZ3. Are you using Filezilla 2 or Filezilla 3? FZ3 seems to only allow you to limit the local ports in active mode in the settings, not passive mode like FZ2. Does the log say anything? Are the global rules at the front of the list?
Try the simplest rules first and see if they work for passive ftp to see if the configuration is OK:

Client side
Allow& log/tcp/out/any/any/any/any -you should be able to verify from the log that the destination port is in (21, 60000-60100)

Server side
Allow& Log/tcp/in/any/any/any/(21,60000-60100)