I'm struggling to come to grasp with why all FTP servers requires the use of a port range for passive mode data channels as opposed to only using one data port for all incoming data channel connections.
FTP servers handle many simultaneously connected clients on port 21. Web servers handle many simultaneously connected clients on port 80. Etc..
Then why can't an FTP server use only one data channel port for all incoming passive data connections (and still be able to handle many simultaneously connected clients on that port, say port 1024)?
Or can it?
I am interested in knowing the technical details for why this is not possible or not recommended.
This will be a wild guess, as I haven't tested it, you should try it for yourself and see if there are some other problems I might have missed.
I suppose you could limit the passive port range to one single port. In fact you can see in this question that small port ranges are used in practice. Theoretically, to support multiple concurrent connections you only need the 4 values: local IP, local port, remote IP, remote port to be unique. This is how you discern between different connections.
If you lock down the port on your server to one single value, then the only variable left is the port used by the client. This is not a problem, as long as the client has a large enough pool of free ephemeral ports to choose from. Unless it's doing some heavy NAT, you don't have to worry about this. Now, be warned this will be purely theoretical stuff: if you used multiple ports on your server, you could multiply the number of hypothetical concurrent connections by enabling
number of ports in rangeconnections per one port client-side. But it won't happen in practice, as I doubt there's any implementation of an FTP client that would support this (because it doesn't make much sense). Plus if the client has to share his ephemeral ports in this way and can't just open a new one, then he has much more severe problems to deal with. So, from this perspective you should be totally safe using a single port.Let's think why a single port may not be sufficient.
First of all, I could come up with a situation where a really buggy FTP server implementation uses solely the local port number as a way to identify the client data transfer. Once again, I don't think any decent FTPd would do that.
The real problem (yes, you can disregard all above as a major digression ;-)) is that passive port range is in a non-privileged range.
This means that your selected port number is not reserved per se, and in fact any user process (doesn't need root privileges) can grab it before your FTP server does. If you have an abundant pool of ports to select from, you just grab a random free one. If you're bound to use the only one and it's already used, you won't be able to handle the transfers properly.
Sorry, if the answer seems a bit too speculative. To be honest, I tried hard to find a reason why you shouldn't use a single port and, apart from the last bit, I couldn't think of any hard evidence against it. Nevertheless, an interesting and challenging question you pose.
FTP relies on two separate connections, one for the control or command stream, and one for passing the data files and other information such as directory listings. The control stream is carried over a traditional TCP connection. The client binds to a high unprivileged port and sends a connection request to the FTP server, which is bound to port 21. This connection is used to pass commands.
In Port or active mode, the client tells th server which secondary, unprivileged port it will listen on. The server then initiates the data connection from port 20 to the unprivileged port the client specified.
Passive mode, a newer mechanism, is the default when the client is a web browser. Instead of being tied to port 20, the server tells the client which high port to use for data transfer. The data is then transmitted over unprivileged ports between both client and server.
For more details, please see:
https://www.rfc-editor.org/rfc/rfc959
EDIT
As to locking the server to a particular single port, it may be possible in some servers. For example in vsftpd, you have the following configuration options.
If you set both ports to the same, e.g. pasv_max_port=12345, pasv_min_port=12345, you may be able to get what you are after. I suspect this will limit the number of concurrent FTP sessions you're server will support. Please test to be sure.
An FTP server might be able to match the client's Data Port connection to their Control Port connection based on the source IP alone, rather than based on the port number used.
This would break FXP (which may not be a bad thing) where the client connects to two servers (one in passive mode), then after receiving the passive server's PORT information, passes that to the active mode server as a PORT command so that active mode server connects to the passive mode server.
I suspect that many servers don't create the data socket until the client requests passive mode. In that case, if two clients requested passive mode at the same time, the sockets created would need unique port numbers.
EDIT: thought of another reason why FTP servers don't do this: the server could not tell multiple users with the same IP address apart.
On ports 21 or 80 (as on all well known ports), there's a set protocol, that the client uses to tell what does it want. This way the server knows what are you connecting for. On the data connection port, there's no protocol. All that the server knows – the only thing that's unique about that connection – is the port number you connect to.
If you were to connect to the same port every time, the server would not be able to tell what file are you connecting for. The port number serves as a link between a transfer request on the control connection and a data connection.
If two clients were to request a transfer at the same time, when the server accepts a connection on a single port, the server would not be able to tell what file to transfer. Of course, the server could use a client IP for the decision (actually many FTP servers do validate that the client IP matches the IP used on the control connection, for security).
But this would not work for:
One interesting solution is what the FTP server built into Bitvise "SSH" server does. It actually supports a single data port only. But it requires TLS/SSL encryption and TLS/SSL session reuse for the data connection. And it uses the TLS/SSL session to link the control and data connections.
See also FTP data connections reuse.
I didn't see this mentioned here, so I will throw it in. The port range assignment was meant to be a kind of security feature, where you could not monitor one port for data traffic, the data was sent on a random port in the range, which could not easily be determined. Security through obscurity.
Sounds like you already know about control ports and data ports so I'll cut right to the chase. Control ports are burst communication by nature, just like port 80 for websites. they can handle many different requests (not simultaneously, but darn close since they're so quick to complete). data ports on the other hand are where the magic happens with FTP. If you limit yourself to a single data port, only one data transfer happens at a time. consider a large file transfer. With a single data port open, no other data can move until the transfer's complete. This means that while transferring, a second user won't even be able to list the directory contents of the ftp folder. Sure they'll be able to log in successfully, but their behavior will be the same as if the data ports were not open at all. If you're ok with this, a single port will work great for you. Keep in mind that some ftp clients (I can think of 1 right off the bat) by default set up multiple connections within a single session for downloading. So for this client, in a single port scenario, consider a batch transfer of 1 large file and 4 small files.
The client initiates the transfer for the first large file, all hunky dory. Then, while that transfer's going, it starts a second file. No dice. Then the third, also zilch (technical term). In the end, the log should show 1 successful and 4 failed transfers. The work around would be to limit the client to a single connection per session and you'd be good to go (assuming someone else didn't get their foot in the door the very microsecond one transfer completes and another hasn't started yet.)