If you want to connect to any server, you need to tell your firewall that FileZilla/FileZilla Pro should be allowed to open connections to other servers. Most normal FTP servers use port 21, SFTP servers use port 22 andFTPS servers (implicit mode) use port 990 by default.
These ports are not mandatory, however, so it’s best to allow outgoing connections to arbitrary remote ports.
Since many servers on the internet don’t support both transfer modes, it’s recommended that you configure both transfer modes on your end.
It’s a little like ordering a pizza: You make a phone call or put in an order via a website, but the actual pizza arrives by car or scooter.
The second channel – the data channel – is opened differently in active and passive modes. In active mode, the remote server opens the data channel. In passive mode, the local ma- chine opens the data channel using the IP address and port number with which the remote server replies to a successful connection request. Sort of like the difference between having a pizza delivered (active mode) and going to pick it up yourself (passive mode).
The reason these differences are important is that some firewalls and routers won’t allow a remote server to initiate a connection to a computer on the local network. If the remote server can’t open the data channel, the active mode FTP connection can’t transfer any data.
By default, FileZilla Pro uses passive mode for FTP and FTPS connections.
In passive mode, FileZilla/FileZilla Pro has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you’ll have to allow outgoing connections to all ports in your firewall.
In active mode, FileZilla/FileZilla Pro opens a socket and waits for the server to establish the transfer connection.
By default, FileZilla/FileZilla Pro asks the operating system for the machine’s IP address and for the number of a free port. This configuration can only work if you are connected to the internet directly without any NAT router, and if you have set your firewall to allow incoming connections on all ports greater than 1024.
If you have a NAT router, you need to tell FileZilla/FileZilla Pro your external IP address in order for active mode connections to work with servers outside your local network:
- If you have a fixed external IP address, you can enter it in Edit > Settings, FTP, Active
Mode, Use the following IP address box.
- If you have a dynamic IP address, you can authorize FileZilla Pro to obtain your external
IP address from a special website. This will occur automatically each time FileZilla Pro is started. No information will be submitted to the website (regardless of FileZilla Pro version).
If in doubt, use the second option.
If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla/FileZilla Pro to use a specific range of ports for active mode connections.
Configure the range in Edit > Settings, FTP, Active Mode, enable Limit local ports used by FileZilla/FileZilla Pro and fill the boxes with the minimum and maximum port numbers. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine on which the FileZilla Pro is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.
Valid ports can be from 1 to 65535; however, ports less than 1024 are reserved for other protocols. It is best to choose ports greater than or equal to 50000 for active mode FTP.
Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Therefore, the range of ports should not be too small to prevent the failure of transfers of multiple small files. A range of 50 ports should be sufficient in most cases.