FTP and Firewalls

All Internet protocols revolve around ports, most of which are dedicated. A few of these are:

SSH = Port 22
SMTP = Port 25
HTTP = Port 80
HTTPS = Port 443

In many cases, the Request and Response ports are the same. For example, SSH traffic works this way:
Host <—-Port 22—-> Firewall <—-Port 22—-> Target

The firewall allows outgoing traffic from the Host by punching a ‘hole’ in the firewall that knows where the Request originated from. Since the Target computer Response is the same port, the firewall permits it through.

FTP traffic is unique. It does not have a dedicated port and when it sends out a Request, the Response does not necessarily come back on the same port. Hence, the firewall could block the traffic. Here is how that looks:

Host —-Port 6807—-> Firewall —-Port 6807—-> Target

There is an option in FTP that can solve this – PASV or Passive. Setting this option (available in most FTP clients) forces the FTP Response to come back on the same port as the Request was sent out on.

Host <—-Port 6807—-> Firewall <—-Port 6807—-> Target

The actual process is more complicated since you can have hundreds of computers sending hundreds of requests through the same firewall.

NOTE – This does not always work. Some firewalls are more sensitive to others so some work may be involved. Also, SFTP (Secure Shell FTP) traffic passes over the same port as SSH so this problem is avoided.