FTP by definition uses the TCP transport protocol exclusively and doesn’t use the UDP for its transport purposes. Usually, an application layer protocol will use one or the other. One important exception to that rule is DNS or Domain Name System. FTP also is kind of different due to the fact that it uses two ports to complete its task. It usually utilizes port 20 for transferring data and port 21 for listening to commands. It’s also true that transferring data over FTP port 20 is not mandatory and it can be done through another port as well. This is where it gets confusing for many users. FTP has two modes of operation – active and passive. Both are started by the FTP client and then acted upon by the FTP server.
Inactive mode the FTP client connects from a random unprivileged port (N, which is usually 20) to the FTP server’s command FTP port, which is port 21. Then, the client starts listening to port N+1 and sends a command to the FTP server. After that, the server connects back to the client’s specified data port from its local one. From the server-side firewall’s point of view, to support FTP in active mode these ports have to be opened: FTP server’s port 21 from anywhere (Client initiates connection); FTP server’s port 21 to ports > 1023 (Server responds to client’s control port); FTP server’s port 20 to ports > 1023 (Server initiates data connection to client’s data port); FTP server’s port 20 from ports > 1023 (Client sends ACKs to server’s data port).
In this mode, the FTP client initiates two connections to the FTP server. We need to keep in mind as well that both of these connections are using ephemeral ports themselves, and that’s ok. By opening two connections, or sockets with the FTP server, the client is able to resolve the issue of its firewall denying access to the FTP server and initiating contact on one of the client’s high ephemeral ports. One of the connections opened by the client will contact the server on FTP port 21, and issue it the PASV (passive) command, vice the normal PORT command when using active FTP. Now what happens is that the FTP server opens an ephemeral port and issues the PORT command to the FTP client. With this in hand, the client then starts a connection back to the server FTP port for the data transfer.