File Transfer Protocol (FTP)
FTP functions on a client-server model. The server hosts the files to be shared and the client provides the interface to access, download, or upload files to the file server.
The computers transferring the files can be within the same network where the FTP server is configured, as well as outside the network (over the Internet). FTP uses two ports, one for connection and one for sending data.
FTP can run in two modes: active and passive. And, it uses two channels between the client and server: the command channel and the data channel. The command channel is for sending the commands and responses, and the data channel is for sending the actual data.
As for the active and passive modes, in the active mode, the client launches the command channel, and the server establishes the data channel. In the passive mode, both the command and data channels are established by the client.
Most organizations prefer passive mode. In this mode, the client initiates both channels; therefore, the organization has less or no alterations to make on the client firewall. The connection is from the client to the server, and the data will be return traffic to the client.
Overall, organizations can allow their users (clients) to connect to FTP servers without compromising network security.
Setting up FTP in passive mode
Primarily, the command channel is opened by the client to the FTP server on port 21. The client also opens two random, unprivileged ports on the client (typically a port greater than 1023).
We’ll call the first port P and the second port P+1. The FTP client initiates the connection to the server by sending a PASV command. The client connects to the server from port P to server port 21 with the PASV command.
The server then opens another unprivileged port Q (any port greater than 1023) and sends the port information back as a reply to the PASV command. Now the client initiates the connection from port P+1 to port Q on the server to start the data transfer.
- The client contacts the server using the PASV command on port 21.
- The server replies using port 2000. Here, port 2000 is the port that the server will be listening to for the data connection.
- The client initiates the connection from port 1025 to 2000 (on the server).
- The server sends back the ACK (acknowledgment).
Opening up channels on FTP client and server
Data and other communications from the client should reach the FTP server. Make sure you allow the outgoing data and other communications from the client to go to the FTP server.
Port 21 should be open, as that is the port that receives the PASV command for initiating the connection. The port used by the server to respond to the client can be anything between Port 22 to 1022. Because the FTP server specifies a random port (anything greater than 1023), those ports should be open for communication.