\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]
I'm setting up IP Security (IPSec) on my Windows 2000 Server machine with Microsoft Internet Information Services (IIS) 5.0, but I can't get the filters on my FTP port to work. I began by creating a rule that denies access to all ports. Then, I created one rule that allows HTTP access to port 80 from any computer and a second rule that allows FTP access to port 21 from my computer only. The port 80 (HTTP access) rule works well, letting people access my Web site, but the port 21 (FTP access) rule doesn't work. My FTP rule is
Name: Inbound FTP Filter Action: Permit Mirror: Yes Protocol: TCP Source Port: Any Dest. Port: 21 Source DNS Name: Any IP Address Source Address: \[My computer's IP address\] Source Mask: 0.0.0.0 Dest. DNS Name: My IP Address Dest. Address: My IP Address Dest. Mask: 255.255.255.255
If I can log on with my FTP client from my computer's IP address, why can't I list files on the Web site?
FTP actually uses two ports—port 21 for commands and port 20 for data transfer. You can log on but can't list your files because file listings and file transfers use port 20, which is still blocked. To solve your problem, just add another rule that allows access to port 20. Go to http://www.slacksite .com/other/ftp.html for a good explanation of how FTP works from a network perspective.