This blog post describes the situation that exists when an FTP server is located behind a Deep Inspection Firewall. (My FTP server, for example, is on a server located behind a Juniper Networks Netscreen Firewall.)
The Deep Inspection Firewall plays an important role in Passive FTP data connections. When a file is to be transferred (uploaded or downloaded) in passive mode, a PASV command is first sent to the FTP server. The FTP server sends a response providing the IP address and port number where the client should initiate a TCP/IP socket connection to establish the data channel. The firewall inspects the FTP traffic and notices the PASV reply. It knows that an inbound connection will be arriving momentarily from the FTP client for the given port. Normally the firewall would block this inbound connection, but because it knows that it is a "valid" part of an established FTP session, the traffic is allowed to pass through the firewall.
Here’s the big problem: Let’s say you’re trying to do passive FTP over SSL. Because the traffic on the FTP control channel (port 21) is encrypted, the firewall is unable to inspect it. It no longer knows to allow the data connection. It won’t be possible to upload or download files, or get directory listings.
There are two solutions:
1) Send a CCC command to the FTP server. CCC is the "Clear Control Channel" command. Some FTP servers support it, whereas others don’t. After sending CCC, the transmissions over the control channel are unencrypted, but data transfers (directory listings and file transfers) remain encrypted. The deep-inspection firewall is now able to inspect the PASV reply and allow the data connection to become established.
2) Open a specific range of ports on the firewall and force the FTP server to choose ports within this range. FileZilla is an FTP server which provides this option (although it doesn’t yet support the CCC command).
