Re: SFTP requirement

"Andrew" <andrew@xxxxxxxxxxx> wrote in message
> Hi,
> If I want to setup SFTP (Secure FTP), besides enabling Port 22, is there
> anything I need to enable?
> Both SFTP server and SFTP client have been tested internally without
> firewall.

If you've done that, then just review the firewall logs, or run a sniffer
such as, to see what ports are used. That's my
recommendation. Try a couple of different tests, not just one, as the port
numbers may change.

>From googling, it appears that different SFTP implementations use different
ports depending on how they work [SSL, SSH like yours appears to be, etc].

Also, not sure how your SFTP works, but I believe at least some if not all
SFTP solutions still use two different sessions with two different ports,
one for control [commands] and one for data [up/downloads]. With regular
unencrypted FTP, you've got Active and Passive FTP modes, and the ports are
different depending on which one the clients and servers are configured to
use. Passive is probably recommended for going through firewalls. With
regular FTP, a random port is chosen for the data channel, but it is
outbound from the client.

If your firewall is permissively configured to let everything outbound [not
that I'm necessarily recommending that], and your clients and servers are
configured to use Passive FTP, then possibly none of this will present a
problem for you. But it's good to know anyways.


Relevant Pages

  • Re: FTP server behind a PF firewall (including NAT)
    ... Philip> have exactly the same problem. ... Philip> huge range of high ports, and I can't find any information ... IPFW is a real pain compared to most modern firewall software. ... address-translate) the FTP data transfers. ...
  • Re: Can allowing ftp compromise security?
    ... I am wondering if leaving port 21 open for ftp access would ... I have all my ports closed except for SSH. ... sftp does *not* do everything FTP does. ... You have to add patches by hand to get chroot, ...
  • Re: Newbie question about ports.
    ... Can you do a CVSup to update your ports via http? ... Cvsup does not support http, but neither does it use ftp (see man cvsup, ... openable through your firewall. ...
  • Re: Passive Mode issue
    ... in the windows firewall and the network firewall with the same results. ... and the ftp site is bound to a specific public IP. ... The server will timeout from all users trying passive mode. ... passive port range for IIS and opened those ports in the firewall, ...
  • Re: Passive Mode issue
    ... Bernard Cheah ... windows firewall for ftp, so it does fail with the firewall enabled, this ... Normally the FTP site is bound to the public IP, ... firewall ports, but i think i have all those correct. ...