On Wed, 12 Jan 2005, Charles R. Anderson wrote: > Passive FTP listens on random local ephemeral ports for data > connections set up by the 21/tcp control stream. If you are not using > a stateful firewall with a FTP helper, then you need to allow incoming > TCP connections to whatever range your FTP server uses for passive FTP > (defaults to the entire local port range). This is why I have always > set up my FTP server similar to this (older box using ipchains): > Passive FTP does NOT use the local ephemeral ports, that is traditional FTP behavior. Passive FTP uses the existing TCP connection for both the control and data channels, and is easier to firewall. Of course, the ftp server needs to know how to use passive FTP instead of traditiional FTP.