We’ve been dealing with some legacy apps, converted into Docker that still leverage FTP as a file delivery pipeline. Thought this internal tech note might be of interest to others.
h/t @dennis daemonite
FTP uses two connection types: one for commands and another for data. Both Active and Passive FTP use a connection from a client’s random port to the server’s port 21 for commands, however they differ with the data connections.
Data connections are used not only for file transfers, but also directory listings. If you can connect to an FTP server but get no response for any directory listings, you most likely have an active/passive FTP issue.
Active FTP makes data connections from the server’s port 20 to a client’s random port. The client’s port number is assigned by the client within the command connection.
The biggest problem with active FTP is that the type of NAT used in many client firewalls (including many home routers) will prevent the server connecting to the client, because port number that the server sees won’t be mapped to the port the client is actually listening to for the connection. Advanced users can work around this by configuring their FTP client to use a fixed range of ports for the data connection and have their firewall forward those ports to their internal IP address, but everyone else is pretty much screwed.
Passive FTP makes data connections from a client’s random port to a random port on the server. The server’s port number is assigned by the server within the command connection.
Passive FTP solves the client firewall NAT problem, but introduces server firewall problems. Since the server listens to data connections on random port numbers, the server’s firewall will block those connections by default. The FTP server must be configured to use a fixed range of port numbers for data connections, and that range of ports must be opened up for incoming connections on the server’s firewall. Fortunately this only needs to be done once for the server. All users then have to do is tell their FTP client to use passive mode and their data connections should work.
There should be no performance difference between active and passive FTP, since once the data connection is made the same data transfer protocol is used.
Details with diagrams: