Using 'Normal' or active mode FTP, a client begins a session by sending a request to communicate through TCP port 21, the port that is conventionally assigned for this use at the FTP server. This communication is known as the Control Channel connection.

Using "normal" FTP communication, the client requestor also includes in the same PORT command packet on the Control Channel a second port number that is to be used when data is to be exchanged; the port-to-port exchange for data is known as the Data Channel. The FTP server then initiates the exchange from its own port 20 to whatever port was designated by the client. However, because the server-initiated communication is no longer controlled by the client and can't be correlated by a firewall to the initial request, the potential exists for uninvited data to arrive from anywhere posing as a normal FTP transfer.

Using passive FTP, a PASV command is sent instead of a PORT command. Instead of specifying a port that the server can send to, the PASV command asks the server to specify a port it wishes to use for the Data Channel connection. The server replies on the Control Channel with the port number which the client then uses to initiate an exchange on the Data Channel. The server will thus always be responding to client-initiated requests on the Data Channel and the firewall can coorelate these.

Defined:

Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

Passive FTP :
     command : client >1023 -> server 21
     data    : client >1023 -> server >1023