windows的ftp服务被动模式客户端连接端口修改 2021-01-17 网络 暂无评论 2813 次阅读 个人建议,还是不要用Windows原生的FTP服务:第一:配置起来真的是相当麻烦;第二:权限控制搞个人。还是直接用FileZilla搭配FlashFXP使用吧! 你这个问题官方是给到有答案的: windows下FTP被动模式下数据传输默认使用的端口是服务器的临时端口。而Windows服务器临时端口范围默认是:49152-65535。 查看动态端口范围 `netsh int ipv4 show dynamicport tcp` TCP 的动态端口范围 `netsh int ipv4 set dynamicport tcp start = 10000 num = 1000` 转自https://bbs.csdn.net/topics/392189358 TCP/IP 的默认动态端口范围自 Windows Vista 和 Windows Server 2008 起已更改 原始产品版本: Windows Server 2019、Windows Server 2016、Windows Server 2012 R2、Windows 10 - 所有版本 原始 KB 编号: 929851 简介 为了符合 Internet 分配号码颁发机构 (IANA) 建议,Microsoft 增加了 Windows Vista 和 Windows Server 2008 中传出连接的动态客户端端口范围。 新的默认开始端口为 49152,新的默认结束端口为 65535。 这是从使用默认端口范围 1025 到 5000 的早期版本的 Windows 的配置变化。 更多信息 可以使用以下命令在运行 Windows Vista 或 Windows Server 2008 的计算机上查看动态端口 netsh 范围: ``` netsh int ipv4 show dynamicport tcp netsh int ipv4 show dynamicport udp netsh int ipv6 show dynamicport tcp netsh int ipv6 show dynamicport udp ``` 备注 对于 TCP 或 UDP 服务器的每个传输 (单独设置) 。 端口范围现在是一个真正具有起始点和结束点的范围。 如果在内部网络上使用防火墙,部署运行 Windows Server 2008 的服务器的 Microsoft 客户可能会遇到影响服务器之间的 RPC 通信的问题。 在这些情况下,建议您重新配置防火墙以允许动态端口范围为 49152 到 65535 的服务器之间的流量。 此范围是服务和应用程序使用的已知端口之外。 或者,可以在每台服务器上修改服务器使用的端口范围。 您可以使用 netsh 命令调整此范围, `netsh int set dynamic start= number num= range `如下所示: 此命令设置 TCP 的动态端口范围。 起始端口为 数字,端口总数为 范围。 下面是示例命令: ``` netsh int ipv4 set dynamicport tcp start=10000 num=1000 netsh int ipv4 set dynamicport udp start=10000 num=1000 netsh int ipv6 set dynamicport tcp start=10000 num=1000 netsh int ipv6 set dynamicport udp start=10000 num=1000 ``` 这些示例命令将动态端口范围设置为从端口 10000 开始,以端口 10999 (1000 个端口结束) 。 可以设置的端口的最小范围为 255。 可以设置的最小起始端口为 1025。 根据要配置 (的最大结束端口) 不能超过 65535。 若要复制 Windows Server 2003 的默认行为,请使用 1025 作为起始端口,然后使用 3976 作为 TCP 和 UDP 的范围。 这导致起始端口为 1025,结束端口为 5000。 备注 在基于 Windows Server 2008 的计算机上安装 Microsoft Exchange Server 2007 时,默认端口范围为 1025 到 60000。 转自https://docs.microsoft.com/zh-cn/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang How to Configure Windows Firewall for a Passive Mode FTP Server Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista Using the File Transfer Protocol (FTP) service on a server behind a firewall creates a set of challenges because of the way FTP works. A standard mode FTP client initiates a session to a server by opening a “command channel” connection to TCP port number 21. A file transfer is requested by the client by sending a PORT command to the server. The server then attempts to initiate a “data channel” connection back to the client on TCP port number 20. A typical firewall running on the client sees this data channel connection request from the server as unsolicited and drops the packets, causing the file transfer to fail. Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 support stateful FTP, which allows it match inbound connection requests on port 20 with previous outbound PORT commands from the client. However, if you use FTP over SSL to encrypt and secure the FTP traffic, then the firewall can no longer inspect the inbound connection requests from the server, and they are blocked. To avoid this issue, FTP also supports a “passive” operational mode in which the client initiates the data channel connection. Instead of using the PORT command, the client sends a PASV command on the command channel. The server responds with the TCP port number to which the client should connect to establish the data channel. By default, the server uses an available port in the ephemeral range (1025 through 5000). To better secure the server, you can restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic on only those allowed port numbers. This topic discusses how to: Configure the FTP service to only use a limited number of ports for passive mode FTP Configure an inbound firewall rule to allow inbound FTP connections on only the allowed ports The following procedure shows the steps for configuring the FTP service on Internet Information Services (IIS) version 7.0. If you are using a different FTP service, then consult that product’s documentation for appropriate steps. Configuring support for SSL is beyond the scope of this topic. For more information, see the IIS documentation. Configure the FTP service to only use a limited number of ports for passive mode FTP In the IIS 7.0 Manager, in the Connections pane, click the top node for your server. In the details pane, double-click FTP Firewall Support. Enter the range of port numbers that you want the FTP service to use. For example, 41000-41099 allows the server to support 100 passive mode data connections simultaneously. Enter the external IPv4 address of the firewall through which the data connections arrive. In the Actions pane, click Apply to save your settings. You must also create a firewall rule on the FTP server to allow inbound connections on the ports you configured in the previous procedure. Although you could create a rule that specifies the ports by number, it is easier to create a rule that opens any port on which the FTP service is listening. You limit the ports on which FTP is listening by following the steps in the previous procedure. Configure an inbound firewall rule to allow inbound FTP connections to only the ports on which FTP is listening Open an Administrator command-prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. Run the following command: netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in Finally, disable stateful FTP filtering so that the firewall does not block any FTP traffic. netsh advfirewall set global StatefulFTP disable https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd421710(v=ws.10)?redirectedfrom=MSDN 标签: ftp 本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。