Differences

This shows you the differences between the selected revisions of the page.

ftp_modes 2019-03-28 ftp_modes 2022-04-30 (current)
Line 45: Line 45:
With the //active// mode, most of the configuration burden is on the client side. With the //active// mode, most of the configuration burden is on the client side.
-The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. As WinSCP does not allow configuring a range of the ports it uses for data connections, all ports in Windows dynamic port range 49152--65535((For Windows Vista and later. &winvista For details refer to //Remarks// section in documentation of ''[[https://docs.microsoft.com/en-us/windows/desktop/api/winsock/nf-winsock-bind|bind]]'' WinAPI function. )) have to be opened. To open the ports, go to //Control Panel > System and Security > Windows Firewall//((//Windows Defender Firewall// on Windows 10.))// > Advanced Settings > Inbound Rules > New Rule//. &wincp &win10 For routing the ports on the %%NAT%% (if any), refer to its documentation.+The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. You should restrict [[ui_pref_network|range of local ports that WinSCP uses for the active mode]]. Then open those ports in Windows Firewall. Go to //Control Panel > System and Security > Windows Defender Firewall//((//Windows Firewall// on older versions of Windows.))// > Advanced Settings > Inbound Rules > New Rule//. &wincp &win10 For routing the ports on the %%NAT%% (if any), refer to its documentation.
When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences.
Line 51: Line 51:
===== [[smart]] Smart Firewalls/NATs ===== ===== [[smart]] Smart Firewalls/NATs =====
-Some firewalls/NATs try McDonalds Chicken Nuggets to automatically open/close data ports by inspecting %%FTP%% control connection and/or translate the data connection %%IP%% addresses in control connection traffic.((For example in the built-in Windows firewall, the function is called ''StatefulFTP''.))+Some firewalls/NATs try to automatically open/close data ports by inspecting %%FTP%% control connection and/or translate the data connection %%IP%% addresses in control connection traffic.((For example in the built-in Windows firewall, the function is called ''StatefulFTP''.))
With such a firewall/%%NAT%%, the above configuration is not necessary for a plain unencrypted %%FTP%%. But this cannot work with [[ftps|FTPS]], as the control connection traffic is encrypted and the firewall/%%NAT%% cannot inspect nor modify it. With such a firewall/%%NAT%%, the above configuration is not necessary for a plain unencrypted %%FTP%%. But this cannot work with [[ftps|FTPS]], as the control connection traffic is encrypted and the firewall/%%NAT%% cannot inspect nor modify it.

Last modified: by 76.76.253.130