Standard mode FTP uses two channels for communications. When a client first starts an FTP connection, it opens a standard TCP channel from one of its highorder ports to port 21 on the server. This is referred to as the command channel. When the client requests data from the server, it tells the server to send the data to a given high-order port. The server acknowledges the request and initiates a connection from its own port 20 to the high-order port that the client requested. This is referred to as the data channel.

Because the server initiates the connection to the requested port on the client, it was difficult in the past to have firewalls allow this data channel to the client without permanently opening port 20 connections from outside servers to inside clients for outbound FTP connections. This created a potential vulnerability by exposing clients on the inside of the firewall.

For FTP traffic, the PIX Firewall behaves in the following manner:

