I have been always wondering whats the easy way to understand how Active & Passive mode FTP connections work.
So, after referring a lot of sites, I came up with this one on how they works briefly, so that you can get to know the basic differences. If you are trying to learn deep into how this works at the packet level, I am sorry this is not the right place for you.
Active mode FTP (please refer diagram for easy understanding)
A user connects from a random port(33372) on a file transfer client to port 21 on the server. It sends the PORT command, specifying what client-side port(33395) the server should connect to. This port will be used later on for the data channel and is different from the port used in this step for the command channel.
The server connects from port 20 to the client port designated for the data channel. Once connection is established, file transfers are then made through these client and server ports.
Passive mode FTP (please refer diagram for easy understanding)
In passive mode, the client still initiates a command channel from port(33372) to server's port 21. However, instead of sending the PORT command, it sends the PASV command, which is basically a request for a server port to connect to for data transmission. When the FTP server replies, it indicates what port number(54321) it has opened for the ensuing data transfer. Summarized steps below.
The client connects from another random port(33395) to the random port specified in the server's response. Once connection is established, data transfers are made through these client and server ports.
Points to be Noted: In an active mode connection, the server will attempt to connect to a random client-side port. So chances are, that port wouldn't be one of those predefined ports. As a result, an attempt to connect to it will be blocked by the firewall and no connection will be established.
Of course, it could be also possible for the server side to have a firewall as well. However, since the server is expected to receive a greater number of connection requests compared to a client, then it would be but logical for the server admin to adapt to the situation and open up a selection of ports to satisfy passive mode configurations.
Let me know if I should correct anything here.