FTP is commonly used to transfer files between computers on the Internet. There are two types of FTP: active- and passive-FTP. Both use two TCP connections for the FTP transaction:
With both active- and passive-FTP, the client initiates a control connection to the server, but with active-FTP the server in turn initiates the data connection to the client. In contrast, with passive-FTP, the client also initiates the data connection after the control connection.
Figure 8-13 illustrates active-FTP.
Figure 8-13. Active-FTP
As you can see from Figure 8-13, the client initiates the control connection, performs the authentication, and sends the command PORT 10,1,10,1,19,137 to the server. The first four octets given in the PORT command supply the IP address the server should connect to (that is, 10.1.10.1). To find the actual port the server should connect to, the server multiplies the fifth octet by 256 and then adds the sixth octet to the total (that is, 19 * 256 + 137 = 5001). The server then initiates the DATA connection to TCP port 5001, using the reserved active-FTP data source port 20.
With passive-FTP, the client initiates the control connection and issues the PASV command to the server. The server responds with "Enter Passive mode (192,168,10,1,98,16)." The client deciphers the fifth and sixth octet in the same manner as mentioned previously to determine the TCP port it should use for the data connection (that is, 98 * 256 + 16 = 25,104). The client then opens the FTP data connection to the server. Notice that in passive-FTP, the client does not use reserved TCP port 20 for the source port of the data connection. Figure 8-14 illustrates passive-FTP.
Figure 8-14. Passive-FTP
For information on how to deal with active- and passive-FTP in a Firewall Load Balancing (FWLB) environment, refer to Chapter 11, "Switching Secured Content."