FTP Server
Restricted access through firewall From image version "CX8100_WEC7_LF_v604h_TC31_B4022.20", the firewall for the CX7000 is enabled by default. This means that a passive FTP connection (as used by Microsoft, for example) cannot be established. We therefore recommend using active FTP access. Enter TCP ports 20 and 21 in the firewall. |
The File Transfer Protocol (FTP) is based exclusively on TCP-based communication connections. FTP specifies two TCP ports, which are important for data transfer:
- Port 20/tcp: This port is also referred to as data port and is used to send/receive files and directory lists.
- Port 21/tcp: This port is generally referred to as command port and is used to exchange status information between the client and server.
Separate TCP connections are used for sending and receiving files (data port) and for transmitting commands (command port). With FTP, two connection modes are available for setting up such connections: "Active FTP" and "Passive FTP". Depending on the connection mode, the two ports mentioned above are initiated differently, which is described in more detail below.
Active FTP
With active FTP, the client connects to the command port of the FTP server. The client uses a random port N, e.g. 4242/tcp, as source port. The client then listens on port N+1 and notifies the server of this port. The server then connects to the client on port N+1 and uses its data port as the source port.
A problem with active FTP is that the client itself does not establish a connection to the server's data port, but communicates a port (N+1) to the server, which then connects to the client via its data port. In the case of firewalls or NAT devices that are located upstream of the client, this could involve additional configuration effort on the client side, since the data port of the client behind the firewall must be accessible to the server (see figure "Connect 4243").
Passive FTP
This method is used when the client is not directly accessible by the server. This is the case, for example, if the client is behind a firewall that uses NAT to rewrite the client's address. With passive FTP, the FTP client initiates a connection via two random TCP ports N (command port) and N+1 (data port). The first port is used to connect to the server's command port. However, instead of the client communicating its port N+1 to the server so that the server can open a connection to it (see active FTP), the client first transmits a so-called PASV command. The server now knows that the connection is via passive FTP. As a result, the server opens a (random) port P as data port and transmits it to the client. The client then initiates a connection with port P and uses port N+1 (data port) as the source port. This connection is then used to transfer the data.
On closer examination it becomes apparent that the firewall problem of active FTP is reversed with passive FTP. On the server side, the firewall should be configured such that the data port of the server can be reached by the client. Many FTP servers offer the option to configure the data ports to be used.