Well, ok, let me explain a bit more:
FTP has two modes, active and passive. Active mode works like this:
the client connects to the server's port 21; this is the control connection. When a data transfer is started, the client starts listening on some random port; it sends the port number to the server, which then opens a connection to the specified port of the client; when the connection is established, data is sent.
Passive mode works like this:
the client connects to the server's port 21; this is the control connection. When a data transfer is started, the server starts listening on some random port; it sends the port number to the client, which then opens a connection to the specified port of server (it has now two connections to the server: one to port 21, one to some random port); when the connection is established, data is sent.
When firewalls and NAT are involved, there are problems:
- when a client is behind a NAT router, active FTP doesn't work by default: the NAT router receives a connection request but doesn't know its related to the existing FTP connection because the ports are different (unless it's a really smart NAT router; most aren't). The solution is port forwarding, but the difficulty lies in determining which port to forward: as mentioned above, the port that is used is somewhat random. If the FTP client can be restricted to a small range (say, a range of 5 ports that it picks one from), then all of this range can be forwarded, but with many clients this cannot be configured; and forwarding ranges of 20000 ports is inpractical when there is more than a single host behind a NAT router.
- when a client is behind a firewall, active FTP will not work by default because the firewall will block the incoming connection to the random port; a firewall rule needs to be defined to allow it, but again, the randomness of the chosen port makes this difficult.
- when the server is behind a NAT router, passive FTP will not work by default; the reason is the same as for the client above, except this time its the server that listens for an incoming connection on a random port. The situation is slightly better here, because with most FTP servers, the port range that they use for passive connections can be configured.
- when the server is behind a firewall, passive FTP will not work by default; the reason is the same as for the client above.
The easiest way to deal with NAT, firewalls and FTP is to use either active or passive FTP, depending on whether the server or the client are behind a NAT router/firewall, because then no special configuration is required. If both hosts are behind a NAT router/firewall, then at least one of the hosts needs to have its random ports restricted to a specific range, and the appropriate port forwarding and firewall rules need to be defined (on the client side for active FTP, on the server side for passive FTP), and of course the client needs to know whether active or passive FTP should be used...
As I said, it gets complicated. Other protocols are much easier to configure... forward/allow one single port on the server and everything works.