Quote:
Originally Posted by ehartman
But yes, "passive" FTP only uses a single port/service: 21 (the "active" variant uses 20 too, for the returned data).
|
Both active and passive FTP use an additional connection (with dynamic ports) for data transfer, the difference is the direction: in active mode, the client (!) opens a listening port and the server initiates the data connection to this port (this is often a problem behind firewalls and/or NAT), in passive mode it's the other way around (so it's like the initial control connection on port 21).
iptables has helper modules for ftp (nf_conntrack_ftp/nf_nat_ftp) which read the port numbers from the control connection (and thereby only works for unencrypted ftp, not ftps), so you only need to allow tcp port 21 (for the initial data connection) and RELATED connections (though it's still a good idea to restrict those allowed "related" port numbers to 1024-65535).