|• Technology •|
— FTP (A & P) —
The File Transfer Protocol (FTP; RFC 959), Active and Passive
There is an active and a passive variant of this protocol. Active and Passive as seen from the daemon — or the server. Using the webbrowser to ftp into a site usually employs the passive mode while a dedicated ftp client works in active mode; an option to toggle to passive mode is ususlly available, though. Active mode needs some configuration on the client side firewall while passive mode shoves that problem to the server side.
The red part of the picture shows the active mode, the blue part the passive one.
The client sends a PORT request to the server's command port 21, using any non-privileged (ephemeral) port, i.e. >1023 [n]. The server acknowledges the port and initiates a data connection from its data port 20 to the clients data port, which is 1 higher than the command port it used to make the request [n+1]. The connection is established once the client contacts from its data port the server's data port 20.
The client sends a PASV request to the server's command port 21, using any non-privileged (ephemeral) port, i.e. >1023 [n]. The server replies with the data port number [x] it takes from a pool of ephemeral ports to the client's command port. The client initiates from its data port, which is 1 higher than the command port used [n+1], to the server's data port [x]. The server than answers on this port to the client's data port and thus establishes the connection.
Using a web browser, the ftp site can be directly accessed using this type of URI: ftp://username:firstname.lastname@example.org.
Problems with FTP
Because ftp uses two ports, it is difficult to tunnel it over the secure shell protocol SSH port 22.
Because the client, in active mode, sends a request to port 21 and than gets replies from another port (20), the firewall at the client side might block the traffic from port 20. This is not a problem in passive mode because the client sends a request to port 21 and the server's data port. The server always answers on a port the client requested something from (21, x).
Setting up a firewall on the server side poses a problem because so many data ports must be left open (1024 - 65535) in the passive mode. The server can be configured to only choose from a small range of ports, e.g. 1951 - 2000 and thus reducing the number of potentially open ports to 50.
© 2004 - 2017 by Horo Wernli.