Comcast Xfinity and Passive FTP
Over a number of months, I experienced a strange problem with one of my hosted websites: I could not log in via FTP. To be more specific, I could connect, but at the point where the directory information is transmitted back to the FTP client, the software would hang.
For the impatient, here is the solution: I had to change the Comcast Xfinity firewall settings. See more detail below.
I could connect to other sites via FTP, so FTP itself was not blocked. It was not a username/password problem. I tried both passive and active FTP modes, and neither worked. I tried different ports and other protocols, and none worked; what I needed was just plain ol’ FTP on the default port.
I contacted Go Daddy first. They assured me there was nothing wrong on their end, and in fact they could connect to my site via FTP just fine. They suggested it was a problem with my router.
That seemed plausible but strange. I had switched to Comcast Xfinity some months before, and that was about the time the connection problems started (but it was a bit of a guess, since the site in question was not one that I used often).
I did some Google searching, and found that Comcast has a history of FTP-related issues. I read through quite a few discussions, some suggesting this or that. With a little more experimenting, I found the source of the issue.
- The problem does NOT occur on Comcast Xfinity routers by default, because by default the router has firewall security turned off. (The default ‘Minimum’ security is off, if you read the help on the router config web page.)
- The problem may not affect all FTP sites. I could connect to another FTP site just fine. But that one used SFTP.
- It may be that only FTP connections that use passive mode are affected. Most of the Comcast-related complaints I read while googling seemed to mention passive FTP.
- The FTP on Go Daddy, at least, is NOT compatible with the ‘Typical Security (Medium)’ setting on Comcast Xfinity’s firewall. In particular, the ‘Peer-to-peer applications’ blocking that is part of the medium security setting, is what prevents the passive FTP connection from working. (It can also be enabled as a custom setting.) Note: Setting the firewall to ‘Low’ disables it altogether, which is not recommended. There are a few presets in the ‘Custom’ option, and I activated those, except the HTTP and peer-to-peer options.
- It appeared that a possible workaround would be to set up port forwarding. But that seemed like a lot of work (you need to set up a directive for each FTP site that is affected), and even then I wasn’t familiar enough with port forwarding to really know what I was doing. So I didn’t try.