Access Denied--Knowing FTP from a Network Perspective

[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!]

I'm setting up IP Security (IPSec) on my Windows 2000 Server machine with Microsoft Internet Information Services (IIS) 5.0, but I can't get the filters on my FTP port to work. I began by creating a rule that denies access to all ports. Then, I created one rule that allows HTTP access to port 80 from any computer and a second rule that allows FTP access to port 21 from my computer only. The port 80 (HTTP access) rule works well, letting people access my Web site, but the port 21 (FTP access) rule doesn't work. My FTP rule is

Name: Inbound FTPFilter Action: PermitMirror: YesProtocol: TCPSource Port: AnyDest. Port: 21Source DNS Name: Any IP AddressSource Address: [My computer's IP address]Source Mask: 0.0.0.0Dest. DNS Name: My IP AddressDest. Address: My IP AddressDest. Mask: 255.255.255.255

If I can log on with my FTP client from my computer's IP address, why can't I list files on the Web site?

FTP actually uses two ports—port 21 for commands and port 20 for data transfer. You can log on but can't list your files because file listings and file transfers use port 20, which is still blocked. To solve your problem, just add another rule that allows access to port 20. Go to http://www.slacksite .com/other/ftp.html for a good explanation of how FTP works from a network perspective.