FTP Server

Restricted access through firewall From image version "CX8100_WEC7_LF_v604h_TC31_B4022.20", the firewall for the CX8191 is enabled by default. This means that a passive FTP connection (as used by Microsoft, for example) cannot be established. We therefore recommend using active FTP access. Enter TCP ports 20 and 21 in the firewall.

The File Transfer Protocol (FTP) is based exclusively on TCP-based communication connections. FTP specifies two TCP ports that are important for data transmission:

• Port 20/tcp: This port is also referred to as the data port and is used to send/receive files and directory lists.
• Port 21/tcp: This port is generally referred to as the command port and is used to exchange status information between client and server.

Separate TCP connections are used for sending and receiving files (data port) and for transmitting commands (command port). With FTP, two connection modes are available for setting up these connections: “Active FTP” and “Passive FTP”. Depending on the connection mode, the two ports mentioned above are initiated differently, which is described in more detail below.

Active FTP

With active FTP, the client connects to the command port of the FTP server. The client uses a random port N, e.g. 4242/tcp, as source port. The client then listens on port N+1 and communicates this port to the server. The server then connects to the client on port N+1 and uses its data port as the source port.

A problem with active FTP is that the client itself does not establish a connection to the server’s data port and instead communicates a port (N+1) to the server, which then connects to the client via its data port. In the event of firewalls or NAT devices that are located upstream of the client, this could involve additional configuration work for the client, since the client's data port behind the firewall must be accessible to the server (see figure “Connect 4243”).

Passive FTP

This method is used when the client cannot be accessed directly by the server. This is the case, for example, if the client is behind a firewall that uses NAT to rewrite the client’s address. With passive FTP, the FTP client initiates a connection via two random TCP ports, N (command port) and N+1 (data port). The first port is used to connect to the server’s command port. However, instead of the client communicating its port N+1 to the server so that the server can open a connection to it (see active FTP), the client transmits a PASV command first. The server now knows that this connection is via passive FTP. As a result, the server opens a (random) port P as data port and transmits it to the client. The client then initiates a connection with port P and uses port N+1 (data port) as the source port. This connection is then used to transfer the data.

On closer examination, we can see that the firewall problem of active FTP is reversed with passive FTP. On the server side, the firewall should be configured so that the data port of the server can be reached by the client. Many FTP servers offer the option to configure the data ports that are going to be used. This option is not available with Windows CE or WEC7.