scenario:
1 server ftp which works with passive mode (range of enabled and reserved ports from 5000 to 6000)
1 client ftp which tries to connect to server ftp above with passive mode.
should client open ports from 5000 to 6000 on its firewall?
I tried to understand this part and I've saw a lot of different articles about passive vs active mode but I'm not understanding this behaviour.
With passive FTP both the control connection (by default on port 21) and the data connection (to the PASV port indicated by the FTP server) are both initiated by the FTP client. Typically firewalls that allow their users to set up a FTP connection to a remote server will also allow the client to establish that associated data connection.
Many larger sites don't allow their users to directly connect to the internet at all and require the use of proxy server for all traffic. The passive port range may or may not be a problem for those users...
More uncommon is a set up where users are allowed to connect to the internet directly, but only to a limited number of ports, e.g. 80 and 443 for web traffic and other ports are blocked by default.
In that scenario any slightly advanced firewall can be configured to allow the protocol FTP and will load a specific helper module. The firewall opens port 21 for FTP control connections and will inspect the control traffic for the PASV port that is assigned to a FTP client. Dynamically that passive port will opened in the firewall allowing the data connection to be established (but only between that client and that specific port on that specific FTP server) and that permission will be revoked when the control connection is terminated.
