Sorting out what 'passive ftp' is
(Because I keep forgetting this and having to straighten it out again in my own head, it's time to write down the difference between regular ftp and passive ftp).
Ftp has to transport two different things: commands (and status responses to them), and the actual ftp data. In a modern protocol, these two things would be multiplexed together over the same TCP connection, but ftp dates from when the Internet was both a much simpler environment and a much more limited one, so it uses separate connections for each job. In particular, it has one command connection and then every time it needs to transfer data it makes a new TCP connection, shoves the data over it, and closes the connection again.
It would be nice to report that modern passive ftp changes this and multiplexes commands and data over the same single TCP connection. Alas, it does not; the only thing that changes in passive ftp is who calls who to create the data TCP connections:
- In regular ('active') ftp, the client listens on a port (that it tells
the server about) and the server makes an outgoing connection to that
port. This connection is always from port 20 (ftp-data) on the server.
- In passive ftp, the server listens on a port (that it tells the client about) and the client makes an inbound connection to that port. There are no specific port numbers involved on either side, although many ftp servers can restrict the port range they use to make the life of their firewall easier.
Passive ftp is easier for clients that are behind firewalls because they only make outgoing connections to the ftp server. However, the firewall has to either understand the ftp protocol or allow clients to make connections to arbitrary high-numbered ports on outside machines.
Sidebar: the ftp bounce attack
I said that the ftp client told the ftp server what port it was listening on. Actually, that's a bit of a lie; the ftp client tells the server both the port and the IP address that it's listening on.
(So does the server, when it's giving a port to the client.)
You can see what happens next. It used to be that ftp servers were perfectly happy to connect to whatever IP address and port your client told them to and dump things into it. For example, 'port 25 on this IP address here'. This only got worse if the ftp server allowed you to upload files to it that you could then re-'download' to your target.