Active ftp mode and Passive FTP MODE

These two ports are 21 (command port) and 20 (data port ). However, the data port is not always 20 for FTP operations. This is the biggest difference between active and passive FTP.
(1) active FTP
The active FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-privileged port n (n> 1024), that is, port 21. Then the client starts listening to port n + 1 and sends the FTP command "port n + 1" to the FTP server. The server then connects to the data port (n + 1) specified by the client from its own data port (20 ).
For the firewall before the FTP server, you must allow the following communication to support active FTP:

1. Any port greater than 1024 to port 21 of the FTP server. (Client-initiated connection)
2. Port 21 of the FTP server to port over 1024. (The server responds to the control port of the client)
3. Port 20 of the FTP server to port over 1024. (The data port on which the server initializes data to connect to the client)
4. Port 20 from Port 1024 to the FTP server (the client sends an ACK response to the server's data port)

(2) Passive FTP
To solve the problem that the server initiates a connection to the customer, we developed a different FTP connection method. This is the so-called passive mode or PASV, Which is enabled only when the client notifies the server that it is in passive mode.

In the Passive ftp mode, both the command connection and data connection are initiated by the client, which can solve the problem that the inbound connection from the server to the client's data port is filtered out by the firewall.

When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (n> 1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port (P> 1024) and sends the port p command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data.
For the server-side firewall, the following communication must be allowed to support Passive FTP:

1. From any port greater than 1024 to port 21 on the server (client-initiated connection)
2. Port 21 of the server to any port greater than 1024 (the server responds to the connection from the control port of the client)
3. From any port greater than 1024 to port greater than 1024 on the server (the client initializes data to connect to any port specified by the server)

4. Ports larger than 1024 of the server to the remote port greater than 1024 (the server sends ack response and data to the client's data port)

The preceding explanations of active and passive FTP can be summarized as follows:

1. active FTP:
Command connection: client> 1024 port> server port 21
Data Connection: client> 1024 port 1024> server port 21
Data Connection: client> 1024 port> Server> 1024 Port
(3) Advantages and Disadvantages of active and passive ftp:

Active FTP is advantageous for FTP server management, but unfavorable for client management. The FTP server tries to establish a connection with the high random port of the client, and the port is probably blocked by the firewall of the client. Passive FTP is advantageous for FTP Client Management, but unfavorable for server management. Because the client needs to establish two connections with the server, one of which is connected to a high random port, and this port may be blocked by the server firewall.