Port 21 for FTP Server only

Hi, im new to Comodo and (L)

But I dont understand the settings at all. For example: When I allow TCP/UDP in application monitor for my FTP server (In/Out at ANY port) why is still every body blocked and why do I have to make an rule in Networ monitor to allow port 21 for incoming TCP?
I just cant understand the difference between Aplication and Network monitor. In former firewall I just allowed the application a wanted.
And another question: Is there a way to allow communication on port 21 only for the FTP server application (Cerberus FTP)? When I create rule allowing port 21 in Network monitor and FTP server is not running i still have granted acces from the LAN to my computer on this port a I dont want to.

Sorry for my english, im not a native speaker… 88)

You should make a network monitor rule to allow inbound on port 21 for your FTP server.

CFP will only open a port IF there is an application that uses that port running. If your shut the FTP server down, the firewall will not allow inbound traffic on 21 as there is no application to receive the data. This is how the application and network monnitors work together.

Ewen :slight_smile:

Hi panic,
thanks for reply. But I still have a question. I have for example Gmail notifier installed on my computer. I allowed TCP/UDP OUT for this in Application monitor. The Connection window (under Activity) shows me gnotify.exe TCP IN/OUT with source MY IP:1678 and destination XXX:80 and transfered bytes IN and OUT. But I have no rule in Network monitor, that allows TCP IN on port 1678 or 80 (dont know which port is used for incomming data). So how can the notifier communicate without the rule and why FTP server cannot?


gmail is a web based service and uses http to talk to port 80 on the remote server. Your PC is initiating contact with the gmail server and it is using the same network monitor rule that your browsers gets out with.

In a nutshell, your PC is sending a request out to port 80 on the gmail server and telling it that it is listening for a response on port 1678 on your PC. The firewall is seeing outbound http traffic that meets the criteria of one of the network monitor rules. It accepts the incoming data to your port 1678 because it is a legitimate inbound response to a legitimate outbound request.

Hope this helps,
Ewen :slight_smile:

Clear. Thanks for the explanation. Have a great day :■■■■

Hi panic

Thanks for the explanations on the ftp server setup. I had a problem with mine that is did solve. However, I have a more general question about the network monitoring rules

The program comes with rules already set up with “any” as the filters - in other words, as far as I understand it, these rules don’t really filter, unless I don’t understand them. In addition, anytime I want to start a new program that uses a new port, I have had to create a new network rule - for instances for utorrent. So the questions are:

  1. do I really have to create a new network rule if a new port needs to be open ?
  2. are the network rules that come with the program necessary or can the be deleted ?

And yes - I am a newbie to this and learning the program, which I find quite good.


I’ll refer you all to here: https://forums.comodo.com/index.php/topic,6167.0.html as there’s a wealth of encapsulated information in there, as well as a link to the FAQ hot topics. There’s an excellent Explanation of Network Control Rules that you may find handy, and also an explanation of Comodo’s layered rules. And a bunch of other stuff!

Df2, to answer your questions briefly:

  1. Yes. But only as it relates to unsolicited Inbound connections, such as your p2p application, which needs to Listen on the specified port. Without that Network rule, the application will be stuck like chuck in the muck, and never get out. To take it one step further, if the application in question isn’t running, the port isn’t open. The FW does not open the port, it only allows the port to be opened, if there’s a rule to Allow such activity/connection.

  2. The default rules are designed to fit the majority of average users’ needs, so that they do not need to make any changes, and can have a “set and forget” firewall. You may not need some of them for your specific configuration of computer and internet connection. You may also need more. There is a rule to Allow TCP/UDP Out from Any to Any (IP) from Any to Any (port). This allows you to browse , check email (thru a client), etc. So you’ll probably need that one. The other VERY IMPORTANT one is the bottom rule, which is set to Block & Log IP In/Out from Any to Any (IP) where IP Detail is Any. That is your safety net; do not remove it, or move it from the bottom position. More is explained in the link I gave.

Hope this helps,


I think it would be instructional to know how FTP works.

FTP actually uses multiple connections: 1 for commands, and 1 (or more) for data transfer. Very unlike other Internet protocols. The way it goes is like this:

Client:portX → Server:21 = open connection
Client:portX → Server:21 = navigations, choose a file
Client:portX → Server:21 = inform mode of transfer, inform client’s port (let’s say portY)
Client:portY ← Server:20 = open connection
Client:portY ← Server:20 = actual data transfer

Now this transfer mode might not work, e.g. if Client is behind a NAT router or a corporate firewall. So, there’s an alternate flow:

Client:portX → Server:21 = open connection
Client:portX → Server:21 = navigations, choose a file
Client:portX → Server:21 = inform mode of transfer, instruct PASV mode
Client:portY → Server:20 = open connection
Client:portY ← Server:20 = actual data transfer

The difference lies in step 4, i.e. who opens the connection with port 20 of the FTP server. If only port 21 is allowed, data transfer cannot happen.

As to OP’s question:

Application monitors govern which applications are allowed to initiate a connection (e.g. creating “listening” ports, opening a connection to a remote system, etc.). An analogy: a rule describing who may drive (e.g. those with a driver license) and who may not (e.g. under-age or legally blind)

Network monitors govern what kind of traffic is allowed. An analogy: a rule describing what cars/vehicles may enter a road (e.g. cars/vehicles with tonnage under 3 tonnes) and what cars/vehicles may not use that road.

Add to this, CFP also has Advanced Packet Analysis. An analogy: drug-searching your car, or perhaps emission control tests.


Further to Pepoulans VG post of how FTP works;

If you’re going to set your server up to use PASV, you should nominate a small range of ports it should use for the client initiated data channel and let your clients know what ports have been allowed for FTP. If this isn’t done, your firewall will have to be configured to allow FTP IN on any port from 1057 - 65535. It’s much better to have a restricted range.

Ewen :slight_smile: