I don't understand FTP as well as some on this list, but I can outline the basics.
21 is always the control channel (for some definition of 'always')
In regular FTP, the client connects (via the control channel) and when it wants to build a data connection says "connect back to me on PORT 12345", which the FTP server then does. If you're behind a firewall, the firewall needs to expect to see this data initiated from the OUTSIDE - which is why we need stateful firewalls to parse active FTP. The only alternative is to open up connections from anyone using port 20 to any port in our network over 1023, which sucks.
In passive FTP, instead of saying "connect back to me on..." the client says "OK, can I have a port to connect to _you_ on so you can give me the data?", which the FTP server gives it, and the connection then goes OUT from the client to the server. Any client firewall that allows arbitrary outbound connections will be able to cope with this.
As a note, you then need a stateful firewall at the server end - the server's firewall has to read the PASV command to know what to open, for similar reasons.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 01, 2001 10:13 AM
> To: '[EMAIL PROTECTED]'
> Subject: PASV FTP description
>
>
> Can anyone briefly describe the difference between PASV ftp
> vs. non-PASV
> (regular? active?) with reguards to how the ports get assigned?
>
> What considerations on firewalls (any brand) need to made when
> distinguishing between the two?
>
> The way I understand regular FTP, the client connects to
> server on port 21
> then the server connects back to client on 20 with the data.
> Is this correct
> and how is PASV different?
>
> -erik
