This is several pages combined - clean up to happen later ;-)


FTP Uses Two Ports

FTP clients and servers use two ports; a control port and a data port. The control port is the one you initially connect to, and tell it what you want to do, such as download file X. The data port is what is used to for sending that downloads, or the results of a directory list command. Traditionally this is port 21 (control) and 20 (data) on the server, and two high-level ports the client picks randomly.

There are Two Ways to Config the Server

The server  is usually categorized as a  "Active - Active"  or "Active - Passive" server. The left side refferes  to the server, and the right the client

Traditional Active - Active

Traditionally, the client initiates a connection to the server,  and the server responds by initiating a connection back to the client. Because both servers start a connection, one each, this is called Active - Active. 

The problem with Active - Active

All this was laid out before firewalls. Usually, when the server attempts to connect to the client, the firewall will block them (unless it's a very smart firewall - read expensive). Because of this, we usually change the way the server behaves 

Active - Passive

Instead of connecting back to the client, the FTP server can just tell the client 'connect back to me on port x' and the server waits, passively, for the client to connect a second time. 

While the control sessions is the one we connect to


"...Due to the multiple socket and semi-random port assignment nature of the ftp protocol care must be taken"

Active Mode:

Allow ports 20 and 21

Passive Mode:

Allow port 21 and then use a PassivePorts directive  this range can then be configured on the firewall. 

ufw entry:

description=ProFTP offers FTPS.