Windows Firewall - opening/closing ports via command-line
I was today making some changes to a web application for a client hosted on a dedicated Win 2008 server. When I tried to connect using FTP to upload my changes to the web-server, I got a:
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
error in FileZilla. I have always got this error while FTPing to this web-server, but I decided to look into the issue this time (earlier I would workaround by RDPing into the web-server and transferring files directly).
So my first imagination was it might be a permission's problem for the FTP user. When I checked the folder permissions, they appeared to be fine. I then thought it might be some issue in setting up Plesk correctly (the server uses Parallels Plesk Panel). A basic Google search for that error when using Plesk suggested it might be a Firewall issue with passive FTP ports. So the next thing I wanted to check was Plesk's FTP port settings, but noticed I did not had Plesk admin access.
I retrieved Plesk's admin password using the following on command-line (thanks Google):
After logging-in to Plesk as administrator, I noticed the Passive FTP ports (under Home -> Settings -> FTP Settings) were set to 1025-5001 (a very wide range I must say). I checked Windows Firewall settings, and whoa, those ports were not opened. To ensure this was the issue, I disabled Windows Firewall for a moment, and tried connecting through FTP, it worked. So this was surely an issue with ports not opened through the Firewall. I enabled the firewall again and decided to open those Passive FTP ports for Plesk.
Windows Firewall does not allow specifying port ranges to open through GUI, and manually opening that many ports by point-and-click operation is certainly out of question. Google again to the rescue and I got the following command to open ports in Windows Firewall using command-line:
FOR /L %I IN (1025,1,5000) DO netsh firewall add portopening TCP %I "Passive FTP"%I
1025 would be the starting port number that would be opened uptil port number 5000. TCP is the protocol allowed for the port and "Passive FTP"%I would basically give you Firewall rules with names like "Passive FTP1025", "Passive FTP1026" etc, an intuitive choice to figure out what that rule applies to.
Some seconds into the execution of above command (it can take really long depending upon the number of ports specified), I changed my mind. I wanted to use different ports and lesser number of them to be opened for passive FTP. I terminated the script using "Ctrl+C". To undo the ports already opened, I searched again for a command-line script for closing them, none was to be found.
So I turned to Windows command-line help system itself (-? switch) and figured out it can be done using "netsh firewall delete portopening" command. My initial attempt at:
FOR /L %I IN (1025,1,1475) DO netsh firewall delete portopening "Passive FTP"%I
failed (ports uptil 1475 had been opened at the point I terminated the command to open ports). I was trying to give rule names which were not accepted (I got invalid command errors). So I tried to give the protocol and port number for closing them and it worked:
FOR /L %I IN (1025,1,1475) DO netsh firewall delete portopening TCP %I
I went back into Plesk FTP Settings, and restricted Passive FTP ports to the range: 5001-5201. Finally the following command opened those up in Windows Firewall:
FOR /L %I IN (5001,1,5201) DO netsh firewall delete portopening "Passive FTP"%I
Couple of handy tricks about Windows Firewall and Plesk I learned in the process.