Sure thing.
Say SERVER is 1.2.3.4.
Say SERVER runs an FTP server on port 21.
Say CLIENT is 5.6.7.8.
In active (PORT) mode, the dialog for a file transfer looks something like this:
+--------+ +--------+
| CLIENT | | SERVER |
| |Makes connection to 1.2.3.4, port 21. | |
| |>------------------------------------------>| |
| |This is the control connection. | |
| | | |
| | | |
| |Starts listening on a random port.[*] | |
| | | |
| | | |
| |Sends "PORT 5,6,7,8,45,35" | |
| |>------------------------------------------>| |
| |over the control connection. | |
| | | |
| | | |
| | Makes connection to 5.6.7.8, port 11555.| |
| |<==========================================<| |
| | This is the data connection.| |
| | | |
| | | |
| |Sends retrieve command ("RETR filename") | |
| |>------------------------------------------>| |
| |over the control connection. | |
| | | |
| | | |
| | Sends file "filename"| |
| |<==========================================<| |
| | over the data connection.| |
| | | |
+--------+ +--------+
- [*]
- The arguments to PORT are the bytes of the IP address (in decimal) and the bytes of the port to which the server should connect in (decimal), each byte seperated by a comma. The port is randomly assigned to allow multiple connections between the two machines. I used port 11555 in the example, where 11555 = 0x2D23, 0x2D = 45, and 0x23 = 35.
Firewalls which are not specifically aware of FTP don't know that the incoming (data) connection shouldn't be blocked, and NAT routers which not are not specifically aware of FTP don't know to which machine to forward the incoming (data) connection.
In passive (PASV) mode, the dialog for a file transfer looks something like this:
+--------+ +--------+
| CLIENT | | SERVER |
| |Makes connection to 1.2.3.4, port 21. | |
| |>------------------------------------------>| |
| |This is the control connection. | |
| | | |
| | | |
| |Sends "PASV" | |
| |>------------------------------------------>| |
| |over the control connection. | |
| | | |
| | | |
| | Starts listening on a random port.[*]| |
| | | |
| | | |
| | Sends a response with the port num 11555| |
| |<------------------------------------------<| |
| | over the control connection.| |
| | | |
| | | |
| | Makes connection to 1.2.3.4, port 11555.| |
| |>==========================================>| |
| | This is the data connection.| |
| | | |
| | | |
| |Sends retrieve command ("RETR filename") | |
| |>------------------------------------------>| |
| |over the control connection. | |
| | | |
| | | |
| | Sends file "filename"| |
| |<==========================================<| |
| | over the data connection.| |
| | | |
+--------+ +--------+
In this scenerio, the client doesn't need to accept any incoming connection. Many FTP clients now default to passive mode due to the popularity of NAT for home machines.
Notes
FTP's multiple connections has been very troublesome to people configuring firewalls and requires firewalls to be aware of FTP specifically (while they don't need to know about anything HTTP, for example). If you have trouble getting a directory listing from a FTP server after supplying your user name and your password, it's probably because of firewall/NAT issues, since directory listings treated like a file transfer. Try switching between active and passive mode.
|