Data port assignment
Your selection is applicable only when clients log in using IPv4 addresses.
When an FTP client logs in to a server, a connect request flows from the client to
the server to establish a control connection. When a client wants to transfer data, for example with a get,
a different connection, referred to as a data connection, must be established to handle the transfer. Unlike the
control connection, there are multiple ways a data connection can be established. The server can initiate the connect
request or the client can initiate the connect request, depending on the level of FTP RFC support.
- RFC 959, which describes the base functions of FTP, defines the protocol such that the client decides
the data connection port and server opens the data connection.
- RFC 1579 describes the protocol such that the server decides the data connection port and the
client opens the data connection. The intent of RFC 1579 is to
create a more firewall friendly environment, where the client opens both the control connection and all
data connections. This scheme works well where a firewall prevents incoming connections to random ports, but allows
outgoing connections. This is referred to as firewall friendly clients.
- RFC 2428 describes the protocol such that the server decides the data connection port and the
client opens the data connection. This is also a firewall friendly
client.
There are differences between the RFC 1579 and the RFC 2428 protocols.
- With the RFC 1579 protocol, when the client needs a data connection it
sends the server a passive (PASV) command. The server
returns a PASV reply indicating the IP address and port number the client should use to open the data connection.
- With the RFC 2428 protocol, when the client needs a data connection it
sends the server an extended passive (EPSV) command. The server
returns a EPSV reply indicating the port number the client should use to open the data connection. It does
not indicate the IP address of the server, as with the PASV command. The IP address is assumed to be
the same address as the one used for the control connection.
The use of the EPSV command may be useful if you are encrypting data on the control connection, for example with
Transport Layer Security (TLS). If your data passes through a firewall using
Network Address Translation (NAT), the firewall is not be able to interpret the IP address on the PASV reply, which
may cause problems. By using the EPSV command and reply, no IP address is sent, rather the client and server already
understand the address.
- Select "Use default method"
to establish data connections using the RFC 959 protocols, where the server opens the data connection.
- Select "Use firewall friendly method"
to establish data connections using the RFC 1579 firewall friendly protocols (i.e. the client
opens the data connection using a PASV command).
- Select "Use NAT firewall friendly method"
to establish data connections using the RFC 2428 protocols the NAT firewall friendly protocols (i.e. the client
opens the data connection using a EPSV command).