2

In the active mode, an FTP server uses two ports, 21 for command signals, and 20 for data. In the passive mode in FTP, after the client connects to the server at port 21, the server the server gives the client a random ephemeral port to connect to, for the data connection, on which it starts listening. Why doesn't the server give port 20 (as is usual for active mode) for the data connections?

PS: I have looked at Why does FTP passive mode require a port range as opposed to only one port? but that does not address my specific question.

Community
  • 1
harishankarv
  • 121
  • 1
  • 2
  • 1
    The [accepted answer to question you link to](http://serverfault.com/a/270929/168875) actually does not answer the problem. So I've reported my answer there too to address this. That kind of makes this question duplicate. – Martin Prikryl Aug 02 '16 at 07:20

3 Answers3

1

I do not know why original authors of FTP specification decided this way. But this decision has advantages with the way how Internet works now these days.

If you were to connect to the same port (20) every time, the server would not be able to tell, what file do you connect for. The port number serves as a link between a transfer request on the control connection and a data connection. Note that there's no "protocol" on the data connection, that could be used by the client to tell what it asks for. The port number is the only unique information the server has.

If two clients were to request a transfer at the same time, and the server were accepting data connections on the single port, the server would not be able to tell, what file to transfer. Of course, the server could use a client IP for the decision (actually many FTP server do validate that the client IP matches the IP used on the control connection for security).

But this would not work for:

  • Multiple connections from the same machine (most FTP clients do support parallel transfers/queues).
  • Connection from different machines withing the same (corporate) network, as those have the same external IP.

Neither of the above was probably the reason why FTP specification introduced a port range, as at the time (1980) corporate networks did not exist and multiple connections from the same machine were probably also unlikely. On the other hand at those times the port range may significantly simplify the server implementation.

Related follow-up question: Why does port 20 work for FTP Active Mode?

Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
0

As there is no session concept in FTP, using a single port, let say 20, will introduce an ambiguity when multiple clients connected, as server can't match a client to a file. To overcome this limitation, there is dedicated port for each transfer. IOW, each port is a unique identifier of a transfer.

kofemann
  • 4,308
  • 1
  • 21
  • 27
0

In active mode, FTP server doesn't 'give' port 20 to client. It initiates connection from port 20 to client. This incoming (from client's firewall perspective) connection will be blocked by majority of modern firewalls. Besides that it is quite tricky to make active mode work throught NAT. Passive mode is deprived of all these drawbacks, because in passive mode FTP server doesn't initiate any connections.

user1700494
  • 1,642
  • 2
  • 11
  • 20
  • Agreed, I didn't mean the server "gives" port 20 in active mode, I mean it uses port 20. My question is in passive mode, instead of giving a random ephemeral port, why simply give port 20? – harishankarv Aug 01 '16 at 21:48
  • @harishankarv Due to security reasons `FTP` daemon should run with restricted privileges. In order to bind to port `20` `FTP` daemon must raise privileges to `root` bind to port and restrict prvileges again. This may cost performance. In opposite, binding to port number larger than `1024` doesn't require additional privileges. I'm not sure this is a reason, it is just my suggestion. – user1700494 Aug 02 '16 at 10:38