Is there a standard port for (ftp over) TLS ?

Port 22/tcp is SSH, not FTP. FTP uses port 21/tcp inbound and either port 20/tcp outbound (active mode) or an arbitrary port > 1023/tcp inbound (passive mode).

Anyway, since you want encryption and have to traverse a firewall it would probably be a better approach to dump FTP and use SSH instead.

cu

59cobalt

No.

Active mode FTP data connections normally run over one port below that of the control connection (which indeed is defined, by IANA, to be 21; making the standard data port 20.)

Yes.

And in active mode you know the data port beforehand. But since it is the server connecting, (from port 20) to a random port >1024 on the client, and you're encripting the negotiation; clients wount know which port to open and very probably disallow this...

In passive mode you don't really know which port the server is gonna use, however you can define a 'port range' it should pick from, and let that through the firewall allong with port 21.

Yes. Either you or implicitly rely on the server to encript the data connection aswell, or explicitly tell it to, or not to, do so.

The latter uses differend ports (990 control, and 989 active-mode data usually), however this methond this is besically deprecated.

[ FTPS stuff ]

s/latter/former/

( However this is that 'later', and more widely supported, method conforming to RFC 4217 )

No

Ports are 20 and 21 if you are speaking about active FTP [1].

Yes

Yes, see

"Implicit FTPS is an older, but still widely implemented style in which the client connects to a different port (usually 990), and an SSL handshake is performed before any FTP commands are sent."

Basically the same decisions regarding firewalling (active or/and passive FTP) applies to the situation when using TLS secured FTP. But in addition, if your firewall is doing NAT as well there is a rather big chance that FTP connections with TLS security will fail.

Alexander

[1]